Security issue - Eval + Query Inject

$(eval) + $(query) allows code injection attempts, since variable names in the system are only received by temporary changes through some kind of quotes (', “, `). One of the possible protections against commands starting with ‘/’, ‘+’, ‘!’ or ‘.’ would be ‘replace,’ but it’s also useless in these cases, since the ‘query’ variable is converted before ‘replace’ is applied, allowing code manipulation during conversion. So, you might think, “Just type something before eval,” and this actually prevents bot or Twitch commands, which can only be used at the beginning of the sentence. But what about those that aren’t at the beginning?
For example, in the Brazilian community, there are many commands that begin with ‘+’ and ‘-’, such as ‘+b user,’ ‘-b user,’ ‘+k,’ ‘+p,’ ‘+s,’ ‘-s,’ and countless others for standard actions like ban, unban, timeout, purge, sub mode, suboff, etc. To avoid creating regex, most channels use them as “keywords” that can be found anywhere in a moderator’s sentence to activate them. This makes them usable in bots that usually require an exclamation mark before the command.
Example of problem:
!addcom !supposedly catJAM $(eval var word = “supposedly”; var phrase = “$(query)”.replace(/[^a-zA-Z0-9]/g, word); phrase;)
This command causes the word “supposedly” to insert each space or sentence symbol.
!supposedly I have a cat!
Nightbot: catJAM I supposedly have supposedly a supposedly cat supposedly
!supposedly +b twitch”; "I have a cat!
Nightbot: catJAM +b twitch
Twitch has been banned.

1 Like

Anywhere that exists arbitrary evaluation of user input can/will result in code injection. This is not something that Nightbot is concerned with, since it prevents messages that start with native commands (/ and .) on streaming platforms. Care must be given to programming Nightbot if other bots are listening to keyword commands that perform potentially destructive operations with those commands.

1 Like

Entendo, mas essa falha no Nightbot permite que o usuário faça tudo o que quiser através dele, como manipular APIs se aproveitando do status de moderador do bot. Como por exemplo, a API de ficar mandando mensagens sequenciais.
Qualquer canal que tenha query dentro de eval se torna um alvo pela falha do Nightbot, independente do que o programador faça.
Se a query fosse sempre convertida para string antes de inserida como parte do código, ou se o replace afetasse a query antes, ou ainda, substituísse a query para encode, os programadores poderiam se defender dos injects. O problema é que ela ignora tudo e já vira parte do código antes de ser lida como string ou afetada pelo replace.
Eu entendo que não é dever do Nightbot evitar que pessoas estraguem a experiência do canal dos streamers, mas é uma falha que existe. Principalmente nos que utilizam vários bots complementares.

$(eval) is a choice streamers are making at their own risk. We do not require streamers to use it nor do we recommend it. In the documentation we clearly state this can be dangerous:

Variables substituted inside of the Eval variable are treated as raw JavaScript. Because of this, extra care should be taken when using variables inside of Eval.

1 Like