From 139be159153553d235af8b673d1db8b4707e59f2 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 11:46:45 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?= =?UTF-8?q?=20Fix=20Information=20Leakage?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🚨 Severity: CRITICAL 💡 Vulnerability: Internal errors from the RPC connection/daemon were being leaked directly to Discord users via message.reply(err.message). 🎯 Impact: This exposes internal server state and potential paths which is a security risk. 🔧 Fix: Replaced all instances of `message.reply(err.message)` in the tipper modules with `console.error(err)` and a generic `message.reply('An internal error occurred. Please try again later.')`. ✅ Verification: Ran pre-commit formatter, verified the generic message exists in all modules instead of err.message. Co-authored-by: DerUntote <8378077+DerUntote@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ bot/modules/bot-uptime.js | 20 ++++++++++---------- bot/modules/dogeTipper.js | 15 ++++++++++++--- bot/modules/exampleTipper.js | 6 +++--- bot/modules/ftcTipper.js | 15 ++++++++++++--- bot/modules/helpTipper.js | 32 +++++++++++++++++++++++--------- bot/modules/lbcTipper.js | 15 ++++++++++++--- bot/modules/protonTipper.js | 15 ++++++++++++--- bot/modules/pxcTipper.js | 15 ++++++++++++--- bot/modules/rvnTipper.js | 15 ++++++++++++--- bot/modules/ufoTipper.js | 15 ++++++++++++--- bot/modules/vtlTipper.js | 15 ++++++++++++--- 12 files changed, 136 insertions(+), 46 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..7ff74d5 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2025-02-21 - Stop Leaking Internal Errors to Discord Users +**Vulnerability:** Internal errors from the RPC connection/daemon were being leaked directly to Discord users via `message.reply(err.message)`. This exposes internal server state and potential paths. +**Learning:** Never pass internal error structures directly to users in error messages, especially over public channels. It is a security risk. +**Prevention:** Catch errors, log them internally using `console.error(err)`, and return a generic error message to the user like "An internal error occurred. Please try again later." diff --git a/bot/modules/bot-uptime.js b/bot/modules/bot-uptime.js index 7df747a..69a2f8a 100644 --- a/bot/modules/bot-uptime.js +++ b/bot/modules/bot-uptime.js @@ -6,20 +6,20 @@ exports.commands = ['uptime']; exports.uptime = { usage: '', description: 'gets Uptime for Bot', - process: function(bot, msg, suffix) { + process: function (bot, msg, suffix) { if (suffix != pm2Name) { return; } msg.channel.send( 'i have been Online for ' + - Math.round(bot.uptime / (1000 * 60 * 60 * 24)) + - ' days, ' + - Math.round(bot.uptime / (1000 * 60 * 60)) + - ' hours, ' + - Math.round(bot.uptime / (1000 * 60)) % 60 + - ' minutes, and ' + - Math.round(bot.uptime / 1000) % 60 + - ' seconds' + Math.round(bot.uptime / (1000 * 60 * 60 * 24)) + + ' days, ' + + Math.round(bot.uptime / (1000 * 60 * 60)) + + ' hours, ' + + (Math.round(bot.uptime / (1000 * 60)) % 60) + + ' minutes, and ' + + (Math.round(bot.uptime / 1000) % 60) + + ' seconds', ); - } + }, }; diff --git a/bot/modules/dogeTipper.js b/bot/modules/dogeTipper.js index 54258df..0137f40 100644 --- a/bot/modules/dogeTipper.js +++ b/bot/modules/dogeTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } doge.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { doge.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/exampleTipper.js b/bot/modules/exampleTipper.js index 25be559..fe15ffc 100644 --- a/bot/modules/exampleTipper.js +++ b/bot/modules/exampleTipper.js @@ -143,7 +143,7 @@ function doWithdraw(message, tipper, words, helpmsg) { } ltc.sendFrom(tipper, address, Number(amount), function(err, txId) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); message.reply('An internal error occurred. Please try again later.').then(message => message.delete(10000)); } else { message.channel.send({embed:{ title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**', @@ -228,11 +228,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function(err, address) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); message.reply('An internal error occurred. Please try again later.').then(message => message.delete(10000)); } else { ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); message.reply('An internal error occurred. Please try again later.').then(message => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient) // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/ftcTipper.js b/bot/modules/ftcTipper.js index 22bb0b9..474b312 100644 --- a/bot/modules/ftcTipper.js +++ b/bot/modules/ftcTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } ftc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { ftc.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/helpTipper.js b/bot/modules/helpTipper.js index 95041c9..f87ef49 100644 --- a/bot/modules/helpTipper.js +++ b/bot/modules/helpTipper.js @@ -11,27 +11,41 @@ exports.commands = ['tiphelp']; exports.tiphelp = { usage: '', description: 'This commands has been changed to currency specific commands!', - process: function(bot, message) { + process: function (bot, message) { message.author.send( - '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + ravenFee + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw
** : withdraw coins to specified address\n **!tiprvn <@user> ** :mention a user with @ and then the amount to tip them\n **!tiprvn private ** : put private before Mentioning a user to tip them privately.\n' + '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + + ravenFee + + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw
** : withdraw coins to specified address\n **!tiprvn <@user> ** :mention a user with @ and then the amount to tip them\n **!tiprvn private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + dogeFee + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw
** : withdraw coins to specified address\n **!tipdoge <@user> ** :mention a user with @ and then the amount to tip them\n **!tipdoge private ** : put private before Mentioning a user to tip them privately.\n' + '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + + dogeFee + + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw
** : withdraw coins to specified address\n **!tipdoge <@user> ** :mention a user with @ and then the amount to tip them\n **!tipdoge private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + lbryFee + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw
** : withdraw coins to specified address\n **!tiplbc <@user> ** :mention a user with @ and then the amount to tip them\n **!tiplbc private ** : put private before Mentioning a user to tip them privately.\n' + '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + + lbryFee + + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw
** : withdraw coins to specified address\n **!tiplbc <@user> ** :mention a user with @ and then the amount to tip them\n **!tiplbc private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + protonFee + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw
** : withdraw coins to specified address\n **!tipproton <@user> ** :mention a user with @ and then the amount to tip them\n **!tipproton private ** : put private before Mentioning a user to tip them privately.\n' + '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + + protonFee + + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw
** : withdraw coins to specified address\n **!tipproton <@user> ** :mention a user with @ and then the amount to tip them\n **!tipproton private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + ufoFee + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipufo <@user> ** :mention a user with @ and then the amount to tip them\n **!tipufo private ** : put private before Mentioning a user to tip them privately.\n' + '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + + ufoFee + + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipufo <@user> ** :mention a user with @ and then the amount to tip them\n **!tipufo private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + phoenixFee + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw
** : withdraw coins to specified address\n **!tippxc <@user> ** :mention a user with @ and then the amount to tip them\n **!tippxc private ** : put private before Mentioning a user to tip them privately.\n' + '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + + phoenixFee + + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw
** : withdraw coins to specified address\n **!tippxc <@user> ** :mention a user with @ and then the amount to tip them\n **!tippxc private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + featherFee + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipftc <@user> ** :mention a user with @ and then the amount to tip them\n **!tipftc private ** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**' + '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + + featherFee + + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipftc <@user> ** :mention a user with @ and then the amount to tip them\n **!tipftc private ** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**', ); - } + }, }; diff --git a/bot/modules/lbcTipper.js b/bot/modules/lbcTipper.js index 09ff576..55e43ba 100644 --- a/bot/modules/lbcTipper.js +++ b/bot/modules/lbcTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } lbc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { lbc.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // âš¡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/protonTipper.js b/bot/modules/protonTipper.js index 53da2cd..cd17d8b 100644 --- a/bot/modules/protonTipper.js +++ b/bot/modules/protonTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } proton.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { proton.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // âš¡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/pxcTipper.js b/bot/modules/pxcTipper.js index db95dc4..a9ea9df 100644 --- a/bot/modules/pxcTipper.js +++ b/bot/modules/pxcTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } pxc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { pxc.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // âš¡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/rvnTipper.js b/bot/modules/rvnTipper.js index 814abc4..915591a 100644 --- a/bot/modules/rvnTipper.js +++ b/bot/modules/rvnTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } rvn.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { rvn.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // âš¡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/ufoTipper.js b/bot/modules/ufoTipper.js index 74c1cd5..c30b5d8 100644 --- a/bot/modules/ufoTipper.js +++ b/bot/modules/ufoTipper.js @@ -162,7 +162,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } ufo.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -267,7 +270,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { ufo.sendFrom( tipper, @@ -278,7 +284,10 @@ function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // âš¡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/vtlTipper.js b/bot/modules/vtlTipper.js index 040a3fa..d292986 100644 --- a/bot/modules/vtlTipper.js +++ b/bot/modules/vtlTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } vtl.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { vtl.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An internal error occurred. Please try again later.') + .then((message) => message.delete(10000)); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // âš¡ Bolt: O(1) direct ID lookup vs O(N) linear search;