Message overflow allows users to execute any commands as bot user

Question

Message overflow allows users to execute any commands as bot user

DSSoftware opened this issue 2 years ago · 7 comments

What's the issue:

Slicing long messages for several messages allows possible unauthorized command executions.

How to reproduce:

Command like this
1234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234/gc hey would execute command /gc hey as a bot, but it needs adjustments so it slices the message right at the end of the placeholder string and sends the payload as another message.

How to fix:

Simplest option is to remove slicing entirely OR add IGN > at the end of sliced string.

Answer 1 · 2023-07-03T13:32:58.000Z

This looks like your first issue!
Thank you for bringing this issue to our attention.
Expect a developer to comment within the first 3-5 business days of issue submission.

Answer 2 · 2023-07-03T13:55:38.000Z

Temporary solution

Strip all message contents after certain message length (still testing).

Example of overflow

Answer 3 · 2023-07-03T14:15:12.000Z

Reason for unintended behavior:

Mineflayer Docs:

bot.chat(message)
Sends a publicly broadcast chat message. Breaks up big messages into multiple chat messages as necessary.

Answer 4 · 2023-07-05T12:13:09.000Z

Heya, thanks gonna check that out once I'm free

Answer 5 · 2023-07-06T15:15:59.000Z

#169 is done and should fix this issue.