Commando icon indicating copy to clipboard operation
Commando copied to clipboard

Published 20 hours ago verified publisher icon discordjs

Fixed critical token leak in eval command

Open MatrixSystemPVP opened this issue 3 years ago • 6 comments

Before you could eval 'this.sensitivePattern' or 'this._sensitivePattern' to gain the token and now you can't since the escaped preifx will also get replaced in the result message.

MatrixSystemPVP avatar Jul 14 '21 16:07 MatrixSystemPVP

Above green line is before change and under the green line is after change grafik

MatrixSystemPVP avatar Jul 14 '21 17:07 MatrixSystemPVP

I do not why this isn't patched yet but this is actually critical and can confirm this issue exists. I hope the maintainer @1chiSensei fixes this.

anjannair avatar Oct 08 '21 18:10 anjannair

@MatrixSystemPVP Although I was just informed that the eval command can only be used by a bot owner so technically this PR is actually not necessary

anjannair avatar Oct 09 '21 15:10 anjannair

@anjannair Yes the eval command can only be used by a bot owner, but still you could be forced by someone or somehow leak it accidentally. Things can happen you didn't belived it could ever happen. Since it's a easy fix it should't be a problem to merge this PR.

MatrixSystemPVP avatar Oct 09 '21 15:10 MatrixSystemPVP

@MatrixSystemPVP I don't get how one can force you to run the eval comment. If forcing was so simple then they can even force you to reveal your token too. I guess the motive of this command to exist was to show the token.

anjannair avatar Oct 09 '21 18:10 anjannair

@anjannair I don't know either how but everything is possible in this world

MatrixSystemPVP avatar Oct 09 '21 18:10 MatrixSystemPVP