Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Information Leakage #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DerUntote wants to merge 1 commit into
base: master
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Information Leakage #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-02-21 - Stop Leaking Internal Errors to Discord Users
**Vulnerability:** Internal errors from the RPC connection/daemon were being leaked directly to Discord users via `message.reply(err.message)`. This exposes internal server state and potential paths.
**Learning:** Never pass internal error structures directly to users in error messages, especially over public channels. It is a security risk.
**Prevention:** Catch errors, log them internally using `console.error(err)`, and return a generic error message to the user like "An internal error occurred. Please try again later."
20 changes: 10 additions & 10 deletions bot/modules/bot-uptime.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,20 @@ exports.commands = ['uptime'];
exports.uptime = {
usage: '',
description: 'gets Uptime for Bot',
process: function(bot, msg, suffix) {
process: function (bot, msg, suffix) {
if (suffix != pm2Name) {
return;
}
msg.channel.send(
'i have been Online for ' +
Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
' days, ' +
Math.round(bot.uptime / (1000 * 60 * 60)) +
' hours, ' +
Math.round(bot.uptime / (1000 * 60)) % 60 +
' minutes, and ' +
Math.round(bot.uptime / 1000) % 60 +
' seconds'
Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
' days, ' +
Math.round(bot.uptime / (1000 * 60 * 60)) +
' hours, ' +
(Math.round(bot.uptime / (1000 * 60)) % 60) +
' minutes, and ' +
(Math.round(bot.uptime / 1000) % 60) +
' seconds',
);
}
},
};
15 changes: 12 additions & 3 deletions bot/modules/dogeTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
doge.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
doge.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
6 changes: 3 additions & 3 deletions bot/modules/exampleTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ltc.sendFrom(tipper, address, Number(amount), function(err, txId) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err); message.reply('An internal error occurred. Please try again later.').then(message => message.delete(10000));
} else {
message.channel.send({embed:{
title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**',
Expand Down Expand Up @@ -228,11 +228,11 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function(err, address) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err); message.reply('An internal error occurred. Please try again later.').then(message => message.delete(10000));
} else {
ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err); message.reply('An internal error occurred. Please try again later.').then(message => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient) // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/ftcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ftc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
ftc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
32 changes: 23 additions & 9 deletions bot/modules/helpTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,41 @@ exports.commands = ['tiphelp'];
exports.tiphelp = {
usage: '<subcommand>',
description: 'This commands has been changed to currency specific commands!',
process: function(bot, message) {
process: function (bot, message) {
message.author.send(
'__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + ravenFee + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiprvn <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiprvn private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' +
ravenFee +
'**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiprvn <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiprvn private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + dogeFee + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipdoge <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipdoge private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' +
dogeFee +
'**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipdoge <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipdoge private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + lbryFee + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiplbc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiplbc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' +
lbryFee +
'**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiplbc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiplbc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + protonFee + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipproton <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipproton private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Proton (PROTON) Tipper**__\nTransaction Fees: **' +
protonFee +
'**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipproton <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipproton private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + ufoFee + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipufo <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipufo private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' +
ufoFee +
'**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipufo <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipufo private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + phoenixFee + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tippxc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tippxc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' +
phoenixFee +
'**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tippxc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tippxc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + featherFee + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipftc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipftc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**'
'__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' +
featherFee +
'**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipftc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipftc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**',
);
}
},
};
15 changes: 12 additions & 3 deletions bot/modules/lbcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
lbc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
lbc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/protonTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
proton.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
proton.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/pxcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
pxc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
pxc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/rvnTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
rvn.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
rvn.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An internal error occurred. Please try again later.')
.then((message) => message.delete(10000));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
Loading