Fix !eval vulnerability of bot token being censored only once per eval #136
Conversation
| I'd argue against this pr. First off there's no situations I can think of where the token would accidentally, meaning you would have to purposely send the token twice. If a malicious actor had access this pr still doesn't stop them from getting the token. I could simply eval any one of the below to get the token. client.token.split('.') message.author.send(client.token)Furthermore this pushes the requirements of guide bot up to node.js v15 from v12. This is also higher than d.js v13's minimum version which is v14, and also this is a version that is not LTS meaning it won't be supported as long as other versions. If you did want to replace all instances you could simply use a global regex |
It's roughly equally as needed as the original feature. If anything, this just achieves what the original feature was probably intended to perform.
As I explain in the original post, I've created a separate helper function to not change the node requirement. It's a matter of preference whether you prefer content.replace(new RegExp(client.token, 'g'), 'whatever')or replaceAll(content, client.token, 'whatever'), so amend as per your preference |
2 participants
Please describe the changes this PR makes and why it should be merged, as well as any and all proof of successful tests:
Closes #135
Since
String.prototype.replaceAllis only available as of Node 15 and this bot requires Node 12, I've made my own helper function at the bottom of thefunctions.jsmodule.Refactor to your liking.
Semantic versioning classification: