-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sending 2000, 4000 or 6000 characters to Discord panics in util.PartitionMessage (index out of range) #240
Comments
justinsteven
added a commit
to justinsteven/notify
that referenced
this issue
May 22, 2022
Inclues fixes for: * containrrr/shoutrrr#238 * Sending more than ~99 lines to Slack fails with too_many_attachments * containrrr/shoutrrr#240 * Sending 2000, 4000 or 6000 characters to Discord panics * containrrr/shoutrrr#244 * Sending 1999, 3999 or 5999 characters to Discord panics * (Incomplete fix for the above)
ehsandeep
added a commit
to projectdiscovery/notify
that referenced
this issue
May 30, 2022
* go.mod update to 1.17 and dependency synchronisation * Docker file update to use go 1.18 and "go install" instead of "go get" * Minor documentation updates * GitHub action version updates * goreleaser-action version fix * Allow -bulk to work with stdin * go mod update * replaced helper function with lib * Do chunked reading in -bulk mode Reduces memory usage when input is big Also includes the fix for #134 (makes testing easier) * Move bulkSplitter to util.go * Remove unused function * Refactor bulkSplitter Simplified looping. Also, we no longer truncate mid-line unless it's the first line of a chunk (in such a case we have no option but to truncate). A truncated line will be followed by an ellipsis. Otherwise we're splitting chunks at the last possible newline without exceeding charLimit for that chunk. * Bugfix: Always remove trailing newlines * Bump shoutrrr for long message fixes Inclues fixes for: * containrrr/shoutrrr#238 * Sending more than ~99 lines to Slack fails with too_many_attachments * containrrr/shoutrrr#240 * Sending 2000, 4000 or 6000 characters to Discord panics * containrrr/shoutrrr#244 * Sending 1999, 3999 or 5999 characters to Discord panics * (Incomplete fix for the above) * minor changes Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: forgedhallpass <13679401+forgedhallpass@users.noreply.github.com> Co-authored-by: mzack <marco.rivoli.nvh@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happens
Sending exactly 2000, 4000 or 6000 characters to Discord panics
What should happen
Sending any number of characters to Discord should succeed
Demo
Notes
There is also a report of
util.PartitionMessage
panicking with what seems to be a message of 3990 characters - see projectdiscovery/notify#130 (review). I haven't been able to reproduce this crash. It may or may not be related.This is a potential DoS vulnerability. If an attacker can cause a consumer of shoutrrr to attempt to send a Discord message of a precise length, the consumer will panic, rendering the service unavailable. Without a published security policy I don't have a way of discretely reporting this. May I suggest you publish a policy :)
The text was updated successfully, but these errors were encountered: