Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix RPC error information disclosure #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DerUntote wants to merge 1 commit into
base: master
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix RPC error information disclosure #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-24 - Prevent RPC Error Leakage
**Vulnerability:** Internal RPC error messages from bitcoind-rpc connections were directly passed to Discord users via `message.reply(err.message)`, potentially exposing sensitive infrastructure details. Additionally, `.catch()` handlers were missing on the subsequent `message.delete()` calls.
**Learning:** Sending raw daemon error messages to end-users is an information disclosure vulnerability. Missing `.catch()` handlers on Discord API calls can crash the bot due to unhandled promise rejections.
**Prevention:** Always log the actual error internally (e.g., `console.error(err)`) and send a generic user-friendly message. Always append `.catch()` to discord.js API calls.
15 changes: 12 additions & 3 deletions bot/modules/dogeTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
doge.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
doge.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
9 changes: 6 additions & 3 deletions bot/modules/exampleTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,8 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ltc.sendFrom(tipper, address, Number(amount), function(err, txId) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message.reply('An error occurred while processing your request.').then(m => m.delete(10000).catch(() => {}));
} else {
message.channel.send({embed:{
title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**',
Expand Down Expand Up @@ -228,11 +229,13 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function(err, address) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message.reply('An error occurred while processing your request.').then(m => m.delete(10000).catch(() => {}));
} else {
ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message.reply('An error occurred while processing your request.').then(m => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient) // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/ftcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ftc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
ftc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/lbcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
lbc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
lbc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/protonTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
proton.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
proton.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/pxcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
pxc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
pxc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/rvnTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
rvn.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
rvn.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/ufoTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ufo.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -267,7 +270,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
ufo.sendFrom(
tipper,
Expand All @@ -278,7 +284,10 @@ function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/vtlTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
vtl.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
vtl.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err); // πŸ›‘οΈ Sentinel: Prevent RPC error leakage
message
.reply('An error occurred while processing your request.')
.then((m) => m.delete(10000).catch(() => {}));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down