eightball/PluralKit
1
0
Fork 0
mirror of https://github.com/PluralKit/PluralKit.git synced 2026-02-16 18:50:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix @mention code injection bug

Browse source 
The bot throws an error on unknown command with the first argument echoed. This fixes code injection of mentions into the string.
This commit is contained in:
Bella | Nightshade 2019-06-27 02:40:13 +09:30
parent 15ccc4e27a
commit ac05c0d1fb
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/pluralkit/bot/commands/__init__.py
View file

@ -11,6 +11,10 @@ from pluralkit.errors import PluralKitError
from pluralkit.member import Member
from pluralkit.system import System
def clean_mentions(name: str) -> str:
# Sanitizes all mentions so we don't run into code injection problems
return re.sub("(@)((?s).*)", "\\1\u200B\\2", name, flags=re.IGNORECASE)
def find_with_predicate(s: str, pred) -> int:
for i, v in enumerate(s):
if pred(v):
@ -215,7 +219,7 @@ async def command_root(ctx: CommandContext):
elif ctx.match("commands"):
await misc_commands.command_list(ctx)
else:
raise CommandError("Unknown command {}. For a list of commands, type `pk;commands`.".format(ctx.pop_str()))
raise CommandError("Unknown command {}. For a list of commands, type `pk;commands`.".format(clean_mentions(ctx.pop_str())))
async def run_command(ctx: CommandContext, func):