From d02b44deae037b2554c20373bf24b39dff37f5fe Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 12:02:06 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?= =?UTF-8?q?=20Fix=20RPC=20Error=20Information=20Leakage?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: DerUntote <8378077+DerUntote@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ bot/modules/bot-uptime.js | 20 ++++++++++---------- bot/modules/dogeTipper.js | 15 ++++++++++++--- bot/modules/exampleTipper.js | 6 +++--- bot/modules/ftcTipper.js | 15 ++++++++++++--- bot/modules/helpTipper.js | 32 +++++++++++++++++++++++--------- bot/modules/lbcTipper.js | 15 ++++++++++++--- bot/modules/protonTipper.js | 15 ++++++++++++--- bot/modules/pxcTipper.js | 15 ++++++++++++--- bot/modules/rvnTipper.js | 15 ++++++++++++--- bot/modules/ufoTipper.js | 15 ++++++++++++--- bot/modules/vtlTipper.js | 15 ++++++++++++--- 12 files changed, 137 insertions(+), 46 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..d674d3c --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,5 @@ + +## 2026-06-11 - Fix Internal Error Details Leak +**Vulnerability:** The tipbot modules were leaking internal RPC errors (like internal daemons network issues, insufficient funds error details, daemon failures) directly to Discord users via `message.reply(err.message)`. This poses a security risk as it exposes the bot's internal architecture, connection states, and node infrastructure details to untrusted public channels. +**Learning:** Returning `err.message` directly from infrastructure connections (like `bitcoind-rpc`) to external users is risky. Always decouple internal error contexts from user-facing error messages. +**Prevention:** Instead of directly replying with `err.message`, internal errors should be logged using `console.error(err)` for debugging, and a generic, sanitized message like "An error occurred while processing your request." should be sent to the user. diff --git a/bot/modules/bot-uptime.js b/bot/modules/bot-uptime.js index 7df747a..69a2f8a 100644 --- a/bot/modules/bot-uptime.js +++ b/bot/modules/bot-uptime.js @@ -6,20 +6,20 @@ exports.commands = ['uptime']; exports.uptime = { usage: '', description: 'gets Uptime for Bot', - process: function(bot, msg, suffix) { + process: function (bot, msg, suffix) { if (suffix != pm2Name) { return; } msg.channel.send( 'i have been Online for ' + - Math.round(bot.uptime / (1000 * 60 * 60 * 24)) + - ' days, ' + - Math.round(bot.uptime / (1000 * 60 * 60)) + - ' hours, ' + - Math.round(bot.uptime / (1000 * 60)) % 60 + - ' minutes, and ' + - Math.round(bot.uptime / 1000) % 60 + - ' seconds' + Math.round(bot.uptime / (1000 * 60 * 60 * 24)) + + ' days, ' + + Math.round(bot.uptime / (1000 * 60 * 60)) + + ' hours, ' + + (Math.round(bot.uptime / (1000 * 60)) % 60) + + ' minutes, and ' + + (Math.round(bot.uptime / 1000) % 60) + + ' seconds', ); - } + }, }; diff --git a/bot/modules/dogeTipper.js b/bot/modules/dogeTipper.js index 54258df..be03607 100644 --- a/bot/modules/dogeTipper.js +++ b/bot/modules/dogeTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } doge.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { doge.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/exampleTipper.js b/bot/modules/exampleTipper.js index 25be559..5cd4dec 100644 --- a/bot/modules/exampleTipper.js +++ b/bot/modules/exampleTipper.js @@ -143,7 +143,7 @@ function doWithdraw(message, tipper, words, helpmsg) { } ltc.sendFrom(tipper, address, Number(amount), function(err, txId) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); message.reply("An error occurred while processing your request.").then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({embed:{ title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**', @@ -228,11 +228,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function(err, address) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); message.reply("An error occurred while processing your request.").then((m) => m.delete(10000).catch(() => {})); } else { ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); message.reply("An error occurred while processing your request.").then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient) // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/ftcTipper.js b/bot/modules/ftcTipper.js index 22bb0b9..6256951 100644 --- a/bot/modules/ftcTipper.js +++ b/bot/modules/ftcTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } ftc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { ftc.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/helpTipper.js b/bot/modules/helpTipper.js index 95041c9..f87ef49 100644 --- a/bot/modules/helpTipper.js +++ b/bot/modules/helpTipper.js @@ -11,27 +11,41 @@ exports.commands = ['tiphelp']; exports.tiphelp = { usage: '', description: 'This commands has been changed to currency specific commands!', - process: function(bot, message) { + process: function (bot, message) { message.author.send( - '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + ravenFee + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw
** : withdraw coins to specified address\n **!tiprvn <@user> ** :mention a user with @ and then the amount to tip them\n **!tiprvn private ** : put private before Mentioning a user to tip them privately.\n' + '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + + ravenFee + + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw
** : withdraw coins to specified address\n **!tiprvn <@user> ** :mention a user with @ and then the amount to tip them\n **!tiprvn private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + dogeFee + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw
** : withdraw coins to specified address\n **!tipdoge <@user> ** :mention a user with @ and then the amount to tip them\n **!tipdoge private ** : put private before Mentioning a user to tip them privately.\n' + '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + + dogeFee + + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw
** : withdraw coins to specified address\n **!tipdoge <@user> ** :mention a user with @ and then the amount to tip them\n **!tipdoge private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + lbryFee + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw
** : withdraw coins to specified address\n **!tiplbc <@user> ** :mention a user with @ and then the amount to tip them\n **!tiplbc private ** : put private before Mentioning a user to tip them privately.\n' + '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + + lbryFee + + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw
** : withdraw coins to specified address\n **!tiplbc <@user> ** :mention a user with @ and then the amount to tip them\n **!tiplbc private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + protonFee + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw
** : withdraw coins to specified address\n **!tipproton <@user> ** :mention a user with @ and then the amount to tip them\n **!tipproton private ** : put private before Mentioning a user to tip them privately.\n' + '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + + protonFee + + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw
** : withdraw coins to specified address\n **!tipproton <@user> ** :mention a user with @ and then the amount to tip them\n **!tipproton private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + ufoFee + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipufo <@user> ** :mention a user with @ and then the amount to tip them\n **!tipufo private ** : put private before Mentioning a user to tip them privately.\n' + '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + + ufoFee + + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipufo <@user> ** :mention a user with @ and then the amount to tip them\n **!tipufo private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + phoenixFee + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw
** : withdraw coins to specified address\n **!tippxc <@user> ** :mention a user with @ and then the amount to tip them\n **!tippxc private ** : put private before Mentioning a user to tip them privately.\n' + '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + + phoenixFee + + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw
** : withdraw coins to specified address\n **!tippxc <@user> ** :mention a user with @ and then the amount to tip them\n **!tippxc private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + featherFee + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipftc <@user> ** :mention a user with @ and then the amount to tip them\n **!tipftc private ** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**' + '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + + featherFee + + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipftc <@user> ** :mention a user with @ and then the amount to tip them\n **!tipftc private ** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**', ); - } + }, }; diff --git a/bot/modules/lbcTipper.js b/bot/modules/lbcTipper.js index 09ff576..3e59a40 100644 --- a/bot/modules/lbcTipper.js +++ b/bot/modules/lbcTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } lbc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { lbc.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/protonTipper.js b/bot/modules/protonTipper.js index 53da2cd..a7463d0 100644 --- a/bot/modules/protonTipper.js +++ b/bot/modules/protonTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } proton.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { proton.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/pxcTipper.js b/bot/modules/pxcTipper.js index db95dc4..106fe3d 100644 --- a/bot/modules/pxcTipper.js +++ b/bot/modules/pxcTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } pxc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { pxc.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/rvnTipper.js b/bot/modules/rvnTipper.js index 814abc4..f4037fb 100644 --- a/bot/modules/rvnTipper.js +++ b/bot/modules/rvnTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } rvn.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { rvn.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/ufoTipper.js b/bot/modules/ufoTipper.js index 74c1cd5..354c88e 100644 --- a/bot/modules/ufoTipper.js +++ b/bot/modules/ufoTipper.js @@ -162,7 +162,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } ufo.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -267,7 +270,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { ufo.sendFrom( tipper, @@ -278,7 +284,10 @@ function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/vtlTipper.js b/bot/modules/vtlTipper.js index 040a3fa..443ae23 100644 --- a/bot/modules/vtlTipper.js +++ b/bot/modules/vtlTipper.js @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) { } vtl.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { message.channel.send({ embed: { @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { vtl.sendFrom( tipper, @@ -274,7 +280,10 @@ function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred while processing your request.') + .then((m) => m.delete(10000).catch(() => {})); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;