The problem
Right now, it is possible to exploit certain parts of the bot in order to make the bot post things a regular member would normally not be allowed to post.
These techniques can be used to circumvent our filters, which is somewhat problematic.
For example, by using eval to build a string containing a discord guild invite, you can circumvent our guild invite filter.
You can also do this by exploiting the fact that our custom exception format will repeat the input
Running filters over eval output
To fix the exploit involving !eval, we should change the !eval command so that it will not return anything that triggers a filter.
Let's change the Snekbox cog so that we will do the following:
- Call snekbox and get the output
- Run the output through all the active filters.
- If a filter is triggered, do not post the output. Instead post a message that says something like
Attempt to circumvent filter detected. Moderator team has been alerted.
To do this, we will probably also need to make some changes to the Filtering cog so that we can run filters over an arbitrary string.
Changing the custom exception output
Currently when we return our custom exceptions, we repeat the input that failed. The simplest solution is not to do this.
Let's simply change this code so that the exception output does not repeat the input, but otherwise looks more or less the same.
The problem
Right now, it is possible to exploit certain parts of the bot in order to make the bot post things a regular member would normally not be allowed to post.
These techniques can be used to circumvent our filters, which is somewhat problematic.
For example, by using eval to build a string containing a discord guild invite, you can circumvent our guild invite filter.
You can also do this by exploiting the fact that our custom exception format will repeat the input
Running filters over eval output
To fix the exploit involving
!eval, we should change the!evalcommand so that it will not return anything that triggers a filter.Let's change the Snekbox cog so that we will do the following:
Attempt to circumvent filter detected. Moderator team has been alerted.To do this, we will probably also need to make some changes to the Filtering cog so that we can run filters over an arbitrary string.
Changing the custom exception output
Currently when we return our custom exceptions, we repeat the input that failed. The simplest solution is not to do this.
Let's simply change this code so that the exception output does not repeat the input, but otherwise looks more or less the same.