Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Information Leakage via RPC Error Messages #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DerUntote wants to merge 1 commit into
base: master
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Information Leakage via RPC Error Messages #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-06-13 - [CRITICAL] Fix Information Leakage via RPC Error Messages
**Vulnerability:** The application was passing internal unhandled RPC error messages directly to Discord users via `message.reply(err.message)`. This exposes internal paths, system configurations, or potential backend failure modes to public users.
**Learning:** Returning `err.message` from RPC requests in Discord bots is a critical information leakage risk. All user-facing error messages must be generic (e.g., "An error occurred."), and the full error stack should only be logged internally.
**Prevention:** Never pass raw error messages to user responses. Catch exceptions, print them securely to the internal logs with `console.error()`, and output a safe, generic message to the user facing channels.
20 changes: 10 additions & 10 deletions bot/modules/bot-uptime.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,20 @@ exports.commands = ['uptime'];
exports.uptime = {
usage: '',
description: 'gets Uptime for Bot',
process: function(bot, msg, suffix) {
process: function (bot, msg, suffix) {
if (suffix != pm2Name) {
return;
}
msg.channel.send(
'i have been Online for ' +
Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
' days, ' +
Math.round(bot.uptime / (1000 * 60 * 60)) +
' hours, ' +
Math.round(bot.uptime / (1000 * 60)) % 60 +
' minutes, and ' +
Math.round(bot.uptime / 1000) % 60 +
' seconds'
Math.round(bot.uptime / (1000 * 60 * 60 * 24)) +
' days, ' +
Math.round(bot.uptime / (1000 * 60 * 60)) +
' hours, ' +
(Math.round(bot.uptime / (1000 * 60)) % 60) +
' minutes, and ' +
(Math.round(bot.uptime / 1000) % 60) +
' seconds',
);
}
},
};
15 changes: 12 additions & 3 deletions bot/modules/dogeTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
doge.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
doge.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/exampleTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ltc.sendFrom(tipper, address, Number(amount), function(err, txId) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({embed:{
title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**',
Expand Down Expand Up @@ -228,11 +231,17 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function(err, address) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) {
if (err) {
message.reply(err.message).then(message => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient) // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/ftcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
ftc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
ftc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
32 changes: 23 additions & 9 deletions bot/modules/helpTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,41 @@ exports.commands = ['tiphelp'];
exports.tiphelp = {
usage: '<subcommand>',
description: 'This commands has been changed to currency specific commands!',
process: function(bot, message) {
process: function (bot, message) {
message.author.send(
'__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + ravenFee + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiprvn <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiprvn private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' +
ravenFee +
'**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiprvn <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiprvn private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + dogeFee + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipdoge <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipdoge private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' +
dogeFee +
'**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipdoge <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipdoge private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + lbryFee + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiplbc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiplbc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' +
lbryFee +
'**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tiplbc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tiplbc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + protonFee + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipproton <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipproton private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Proton (PROTON) Tipper**__\nTransaction Fees: **' +
protonFee +
'**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipproton <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipproton private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + ufoFee + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipufo <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipufo private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' +
ufoFee +
'**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipufo <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipufo private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + phoenixFee + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tippxc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tippxc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n'
'__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' +
phoenixFee +
'**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tippxc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tippxc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n',
);
message.author.send(
'__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + featherFee + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipftc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipftc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**'
'__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' +
featherFee +
'**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw <ADDRESS> <AMOUNT>** : withdraw coins to specified address\n **!tipftc <@user> <amount>** :mention a user with @ and then the amount to tip them\n **!tipftc private <user> <amount>** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**',
);
}
},
};
15 changes: 12 additions & 3 deletions bot/modules/lbcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
lbc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
lbc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/protonTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
proton.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
proton.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/pxcTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
pxc.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
pxc.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
15 changes: 12 additions & 3 deletions bot/modules/rvnTipper.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,10 @@ function doWithdraw(message, tipper, words, helpmsg) {
}
rvn.sendFrom(tipper, address, Number(amount), function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
message.channel.send({
embed: {
Expand Down Expand Up @@ -263,7 +266,10 @@ function doTip(bot, message, tipper, words, helpmsg) {
function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) {
getAddress(recipient.toString(), function (err, address) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
rvn.sendFrom(
tipper,
Expand All @@ -274,7 +280,10 @@ function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) {
null,
function (err, txId) {
if (err) {
message.reply(err.message).then((message) => message.delete(10000));
console.error(err);
message
.reply('An error occurred.')
.then((message) => message.delete(10000).catch(console.error));
} else {
if (privacyFlag) {
let userProfile = message.guild.members.get(recipient); // ⚑ Bolt: O(1) direct ID lookup vs O(N) linear search;
Expand Down
Loading