Prevent edge-case exploitation that allows execution of arbitrary fan…

…tasy commands. This commit replaces \r\n with '. ' in tweets. An edge-case issue where you may be able to exploit the bot having op. Should you be the one being tracked, you could insert a newline in your tweet, and follow it up for "!ban <someone>" to execute a fantasy command. This exploit requires a lot of requirements to be met. Mainly the fact that the bot has permissions in the channel, and that the followed person is associated and aware of the possibility.
Zarthus · Aug 13, 2015 · 6b1941b · 6b1941b
1 parent c8b82f6
commit 6b1941b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/lib/twitterbot/plugins/twitter_announcer.rb b/lib/twitterbot/plugins/twitter_announcer.rb
@@ -152,8 +152,9 @@ def get_tweets(account, amount = 3)
         begin
           @twitter.user_timeline(account, count: amount).each do |tweet|
             name = tweet.user.screen_name
+            twtext = tweet.text.gsub("\r?\n", '.  ')
 
-            tweets << { account: name, tweet: tweet.text, time: tweet.created_at, uri: tweet.uri.to_s, id: tweet.id }
+            tweets << { account: name, tweet: twtext, time: tweet.created_at, uri: tweet.uri.to_s, id: tweet.id }
           end
         rescue StandardError => e
           warn "Unable to retrieve Tweet information for #{account}: #{e}"

diff --git a/lib/twitterbot/version.rb b/lib/twitterbot/version.rb
@@ -1,7 +1,7 @@
 module TwitterBot
   VERSION_MAJOR = 1
   VERSION_MINOR = 1
-  VERSION_BUILD = 0
+  VERSION_BUILD = 1
   VERSION_APPEND = ''
 
   VERSION = "#{VERSION_MAJOR}.#{VERSION_MINOR}.#{VERSION_BUILD}#{VERSION_APPEND}".freeze