From c130f171db4e3583b8bd6adcc732bfc0c51f010a Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 14 Jun 2026 12:06:52 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?= =?UTF-8?q?Fix=20Information=20Leakage=20in=20Error=20Replies?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: DerUntote <8378077+DerUntote@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ bot/modules/bot-uptime.js | 20 ++++++++++---------- bot/modules/dogeTipper.js | 18 +++++++++++++++--- bot/modules/exampleTipper.js | 9 ++++++--- bot/modules/ftcTipper.js | 18 +++++++++++++++--- bot/modules/helpTipper.js | 32 +++++++++++++++++++++++--------- bot/modules/lbcTipper.js | 18 +++++++++++++++--- bot/modules/protonTipper.js | 18 +++++++++++++++--- bot/modules/pxcTipper.js | 18 +++++++++++++++--- bot/modules/rvnTipper.js | 18 +++++++++++++++--- bot/modules/ufoTipper.js | 18 +++++++++++++++--- bot/modules/vtlTipper.js | 18 +++++++++++++++--- 12 files changed, 164 insertions(+), 46 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..748f310 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,5 @@ + +## 2024-05-18 - Information Leakage in Discord Error Replies +**Vulnerability:** The application was passing internal RPC and backend error messages directly to Discord users via `message.reply(err.message)`. This can expose sensitive information about the backend architecture, path names, database setups, and daemon connection configs to an attacker. Additionally, failing to `.catch()` rejected promises on Discord API calls (like `message.delete()`) presented stability/denial-of-service risks. +**Learning:** Returning unhandled or unformatted internal errors to a public channel leaks internal state. Any API interactions should also be defensively coded with proper promise handlers. +**Prevention:** Always log specific error details internally (`console.error(err)`) and return a generic error message (`'An error occurred.'`) to the client. Ensure all Discord API interactions that return promises implement `.catch()` handlers. diff --git a/bot/modules/bot-uptime.js b/bot/modules/bot-uptime.js index 7df747a..69a2f8a 100644 --- a/bot/modules/bot-uptime.js +++ b/bot/modules/bot-uptime.js @@ -6,20 +6,20 @@ exports.commands = ['uptime']; exports.uptime = { usage: '', description: 'gets Uptime for Bot', - process: function(bot, msg, suffix) { + process: function (bot, msg, suffix) { if (suffix != pm2Name) { return; } msg.channel.send( 'i have been Online for ' + - Math.round(bot.uptime / (1000 * 60 * 60 * 24)) + - ' days, ' + - Math.round(bot.uptime / (1000 * 60 * 60)) + - ' hours, ' + - Math.round(bot.uptime / (1000 * 60)) % 60 + - ' minutes, and ' + - Math.round(bot.uptime / 1000) % 60 + - ' seconds' + Math.round(bot.uptime / (1000 * 60 * 60 * 24)) + + ' days, ' + + Math.round(bot.uptime / (1000 * 60 * 60)) + + ' hours, ' + + (Math.round(bot.uptime / (1000 * 60)) % 60) + + ' minutes, and ' + + (Math.round(bot.uptime / 1000) % 60) + + ' seconds', ); - } + }, }; diff --git a/bot/modules/dogeTipper.js b/bot/modules/dogeTipper.js index 54258df..ec4d94c 100644 --- a/bot/modules/dogeTipper.js +++ b/bot/modules/dogeTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } doge.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { doge.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendDOGE(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/exampleTipper.js b/bot/modules/exampleTipper.js index 25be559..2ccc599 100644 --- a/bot/modules/exampleTipper.js +++ b/bot/modules/exampleTipper.js @@ -143,7 +143,8 @@ function doWithdraw(message, tipper, words, helpmsg) { } ltc.sendFrom(tipper, address, Number(amount), function(err, txId) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); + message.reply('An error occurred.').then(message => message.delete(10000)).catch(() => {}); } else { message.channel.send({embed:{ title: '**:outbox_tray::money_with_wings::moneybag:Litecoin (LTC) Transaction Completed!:moneybag::money_with_wings::outbox_tray:**', @@ -228,11 +229,13 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendLTC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function(err, address) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); + message.reply('An error occurred.').then(message => message.delete(10000)).catch(() => {}); } else { ltc.sendFrom(tipper, address, Number(amount), 1, null, null, function(err, txId) { if (err) { - message.reply(err.message).then(message => message.delete(10000)); + console.error(err); + message.reply('An error occurred.').then(message => message.delete(10000)).catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient) // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/ftcTipper.js b/bot/modules/ftcTipper.js index 22bb0b9..611ab9d 100644 --- a/bot/modules/ftcTipper.js +++ b/bot/modules/ftcTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } ftc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { ftc.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendFTC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/helpTipper.js b/bot/modules/helpTipper.js index 95041c9..f87ef49 100644 --- a/bot/modules/helpTipper.js +++ b/bot/modules/helpTipper.js @@ -11,27 +11,41 @@ exports.commands = ['tiphelp']; exports.tiphelp = { usage: '', description: 'This commands has been changed to currency specific commands!', - process: function(bot, message) { + process: function (bot, message) { message.author.send( - '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + ravenFee + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw
** : withdraw coins to specified address\n **!tiprvn <@user> ** :mention a user with @ and then the amount to tip them\n **!tiprvn private ** : put private before Mentioning a user to tip them privately.\n' + '__**Ravencoin (RVN) Tipper**__\nTransaction Fees: **' + + ravenFee + + '**\n **!tiprvn balance** : get your balance\n **!tiprvn deposit** : get address for your deposits\n **!tiprvn withdraw
** : withdraw coins to specified address\n **!tiprvn <@user> ** :mention a user with @ and then the amount to tip them\n **!tiprvn private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + dogeFee + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw
** : withdraw coins to specified address\n **!tipdoge <@user> ** :mention a user with @ and then the amount to tip them\n **!tipdoge private ** : put private before Mentioning a user to tip them privately.\n' + '__**Dogecoin (DOGE) Tipper**__\nTransaction Fees: **' + + dogeFee + + '**\n **!tipdoge balance** : get your balance\n **!tipdoge deposit** : get address for your deposits\n **!tipdoge withdraw
** : withdraw coins to specified address\n **!tipdoge <@user> ** :mention a user with @ and then the amount to tip them\n **!tipdoge private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + lbryFee + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw
** : withdraw coins to specified address\n **!tiplbc <@user> ** :mention a user with @ and then the amount to tip them\n **!tiplbc private ** : put private before Mentioning a user to tip them privately.\n' + '__**LBRY Credit (LBC) Tipper**__\nTransaction Fees: **' + + lbryFee + + '**\n **!tiplbc balance** : get your balance\n **!tiplbc deposit** : get address for your deposits\n **!tiplbc withdraw
** : withdraw coins to specified address\n **!tiplbc <@user> ** :mention a user with @ and then the amount to tip them\n **!tiplbc private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + protonFee + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw
** : withdraw coins to specified address\n **!tipproton <@user> ** :mention a user with @ and then the amount to tip them\n **!tipproton private ** : put private before Mentioning a user to tip them privately.\n' + '__**Proton (PROTON) Tipper**__\nTransaction Fees: **' + + protonFee + + '**\n **!tipproton balance** : get your balance\n **!tipproton deposit** : get address for your deposits\n **!tipproton withdraw
** : withdraw coins to specified address\n **!tipproton <@user> ** :mention a user with @ and then the amount to tip them\n **!tipproton private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + ufoFee + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipufo <@user> ** :mention a user with @ and then the amount to tip them\n **!tipufo private ** : put private before Mentioning a user to tip them privately.\n' + '__**Uniform Fiscal Object (UFO) Tipper**__\nTransaction Fees: **' + + ufoFee + + '**\n **!tipufo balance** : get your balance\n **!tipufo deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipufo <@user> ** :mention a user with @ and then the amount to tip them\n **!tipufo private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + phoenixFee + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw
** : withdraw coins to specified address\n **!tippxc <@user> ** :mention a user with @ and then the amount to tip them\n **!tippxc private ** : put private before Mentioning a user to tip them privately.\n' + '__**Phoenixcoin (PXC) Tipper**__\nTransaction Fees: **' + + phoenixFee + + '**\n **!tippxc balance** : get your balance\n **!tippxc deposit** : get address for your deposits\n **!tippxc withdraw
** : withdraw coins to specified address\n **!tippxc <@user> ** :mention a user with @ and then the amount to tip them\n **!tippxc private ** : put private before Mentioning a user to tip them privately.\n', ); message.author.send( - '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + featherFee + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipftc <@user> ** :mention a user with @ and then the amount to tip them\n **!tipftc private ** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**' + '__**Feathercoin (FTC) Tipper**__\nTransaction Fees: **' + + featherFee + + '**\n **!tipftc balance** : get your balance\n **!tipftc deposit** : get address for your deposits\n **!tipufo withdraw
** : withdraw coins to specified address\n **!tipftc <@user> ** :mention a user with @ and then the amount to tip them\n **!tipftc private ** : put private before Mentioning a user to tip them privately.\n\n **<> : Replace with appropriate value.**', ); - } + }, }; diff --git a/bot/modules/lbcTipper.js b/bot/modules/lbcTipper.js index 09ff576..67dfa46 100644 --- a/bot/modules/lbcTipper.js +++ b/bot/modules/lbcTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } lbc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { lbc.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendLBC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/protonTipper.js b/bot/modules/protonTipper.js index 53da2cd..a7f3f40 100644 --- a/bot/modules/protonTipper.js +++ b/bot/modules/protonTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } proton.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { proton.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendPROTON(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/pxcTipper.js b/bot/modules/pxcTipper.js index db95dc4..aa86d5c 100644 --- a/bot/modules/pxcTipper.js +++ b/bot/modules/pxcTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } pxc.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { pxc.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendPXC(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/rvnTipper.js b/bot/modules/rvnTipper.js index 814abc4..a813671 100644 --- a/bot/modules/rvnTipper.js +++ b/bot/modules/rvnTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } rvn.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { rvn.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendRVN(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/ufoTipper.js b/bot/modules/ufoTipper.js index 74c1cd5..362faad 100644 --- a/bot/modules/ufoTipper.js +++ b/bot/modules/ufoTipper.js @@ -162,7 +162,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } ufo.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -267,7 +271,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { ufo.sendFrom( tipper, @@ -278,7 +286,11 @@ function sendUFO(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search; diff --git a/bot/modules/vtlTipper.js b/bot/modules/vtlTipper.js index 040a3fa..3c1f004 100644 --- a/bot/modules/vtlTipper.js +++ b/bot/modules/vtlTipper.js @@ -158,7 +158,11 @@ function doWithdraw(message, tipper, words, helpmsg) { } vtl.sendFrom(tipper, address, Number(amount), function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { message.channel.send({ embed: { @@ -263,7 +267,11 @@ function doTip(bot, message, tipper, words, helpmsg) { function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) { getAddress(recipient.toString(), function (err, address) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { vtl.sendFrom( tipper, @@ -274,7 +282,11 @@ function sendVTL(bot, message, tipper, recipient, amount, privacyFlag) { null, function (err, txId) { if (err) { - message.reply(err.message).then((message) => message.delete(10000)); + console.error(err); + message + .reply('An error occurred.') + .then((message) => message.delete(10000)) + .catch(() => {}); } else { if (privacyFlag) { let userProfile = message.guild.members.get(recipient); // ⚡ Bolt: O(1) direct ID lookup vs O(N) linear search;