Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Leak via jishaku py #96

Closed
4 tasks done
DuckMasterAl opened this issue Mar 1, 2021 · 1 comment
Closed
4 tasks done

Token Leak via jishaku py #96

DuckMasterAl opened this issue Mar 1, 2021 · 1 comment
Labels
invalid

Comments

@DuckMasterAl
Copy link

DuckMasterAl commented Mar 1, 2021
edited
Loading

Summary

You are able to get the bot's token by using jishaku py

Reproduction steps

jsk py list(bot.http.token)

Expected results

The token is [token omitted].

Actual results

You get enough information to put together the bot's token.

Checklist

  • I have updated discord.py and jishaku to the latest available versions and have confirmed that this issue is still present
  • I have searched the open issues for duplicates
  • I have shown the entire traceback, if possible
  • I have removed my token from display, if visible

System information

jiskaku version: 1.20.0.220
discord.py version: 1.6.0
@scarletcafe
Copy link
Owner

I have written at length in the past about why the ability to display your token using Jishaku is not a bug. I cannot stop you from intentionally exposing your credentials.

No matter what I patch for, there will always be new avenue that is not covered. If I was to explicitly detect this case, then the next complaint would be that bot.http.token[::-1] is sufficient to rebuild the token - or list(bot.http.token[::-1]). Maybe '_'.join(bot.http.token)? Am I supposed to detect if your token has been put through a Caeser Shift cipher, as well?

Please read the following to get the full spiel on why I won't fix this:
#61 (comment)

The intent of the omission is to avoid mistakes. A developer might choose to evaluate _bot.http.__dict__, or something like their own _bot.config, without thinking or realizing ahead of time that this would expose their token directly. Jishaku is, through omitting the token, attempting to prevent you from doing something you did not intend to do.

A statement as direct as list(bot.http.token) cannot be a mistake. The intent of the developer is clear - and Jishaku trusts that the intent of the developer is genuine. There are way worse things you can do if you intentionally create malicious code.

All of this boils down to:

  • Do not write code that does something you do not intend to do. Computers ask no questions.
  • Do not run code from people you do not trust, and always audit code to make sure you understand what it is doing before you run it.
  • As mentioned in the MIT License, Jishaku comes 'as is', with no warranty. The code you execute with it, and the side effects of such code, are entirely the responsibility of you, the user, and you should use it only with adequate acknowledgement and understanding of this responsibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scarletcafe @DuckMasterAl