Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[V3] ctx.send modifications and other output sanitization #1942

Merged
merged 6 commits into from
Aug 24, 2018
Merged

[V3] ctx.send modifications and other output sanitization #1942

merged 6 commits into from
Aug 24, 2018

Conversation

mikeshardmind
Copy link
Contributor

@mikeshardmind mikeshardmind commented Jul 17, 2018
edited
Loading

Type

  • Bugfix
  • Enhancement
  • New feature

Description of the changes

This modifies ctx.send to accept a filter, and provide a default filter which removes mass mentions

This also adds username sanitization to modlog's cases and mod's userinfo.

Also adds a convienience feature as bot.send_filtered (but more granular application of filtering is still advised)

See #1941 and the #mod-log channel on discord around August 4th for real world cases on this.

Alternatives I've considered:

  • Manually scrub most output
  • modifications to user.display_name to automatically include such a replacement
  • don't fix, and point people towards the display name filter in the builtin filter cog

What this doesn't fix:

  • Sending to a channel or user directly is not fixed here, I'm not patching discord.abc.Messageable unless discussion about overriding more of discord.py happens to prompt this.

(manually sanitizing using the added filters works for this)

@mikeshardmind
Copy link
Contributor Author

I like the way this functions in practice enough that I've gone ahead and PR'd it upstream more robustly. I'd say using this here is safe under the same considerations mentioned in that PR (i.e. don't use this to redact accidental token leaks in things like eval, as that should be done in other ways to prevent user input guess & check)

We can use this solution safely until something like that is (if) merged upstream if we want

@mikeshardmind mikeshardmind changed the title [V3] ctx.send modifications [NO MERGE] [V3] ctx.send modifications Jul 17, 2018
@Kowlin Kowlin added the V3 label Jul 21, 2018
@qwazwsx
Copy link

qwazwsx commented Aug 1, 2018

bump, I've added these changes in manually to my install but the majority of servers right now are still vulnerable. In a server of 10k people this really isn't something we can risk, and I see a lot of other server owners feeling the same way.

@Twentysix26 and other maintainers, please look into this.

@Twentysix26
Copy link
Member

@qwazwsx This PR is being considered, however, I'd argue that in a 10k people server the bot shouldn't have permissions to mass mention to begin with :)

@mikeshardmind
Copy link
Contributor Author

I strongly disagree that a 10k person bot shouldn't be able to have mass mention perms. There may be announcements which actually should require it in any community. While the opportunity for them is few and far between in most well-run communities, whether a bot having those permissions makes sense is ultimately up to those communities to decide.

@Twentysix26
Copy link
Member

I'm aware of legitimate uses for mass mentions on big servers, however I was attempting to point out that there are plenty of ways to prevent unwanted mass mentions, even without touching any code.
For announcements, for example, is possible to give the bot mass mention permissions in one single channel (announcement channels are common), avoiding the risk of users triggering a mass mention in others.
@qwazwsx 's message sounded urgent, so I provided a ready solution.

@Tobotimus Tobotimus added this to the Beta 19 milestone Aug 7, 2018
Add output sanitization defaults to context.send
18cd719 
Add some common regex filters in redbot.core.utils.common_filters
Add a wrapper for ease of use in bot.send_filtered
Sanitize ModLog Case's user field (other's considered trusted as moderator input)
Sanitize Usernames/Nicks in userinfo command.
Santize Usernames in closing of tunnels.
@mikeshardmind
Copy link
Contributor Author

I've done another pass over the various places we take in user input in any form, specifically for anything which could mass mention unintentionally. Searching for places we potentially take in links is a lot more intensive since even in embedded content, invite links need sanitization or discord will render an invite. The good news is, mentions inside of embeds don't actually ping users.

I consider the mass mentions the more important nuisance to kill (both would be ideal.) I feel this is ready enough for public use at this point as a solution, but I'm not sure I've covered everywhere this needs handling when it comes to filtering (specifically invite links from) embeds.

This can be 100% covered by automatically re-constructing all embed objects, but I felt this was too much a performance drain in practice on even a 200 user server that tried to help me break it. What it will come down to is applying selective filtering to content before placing it in an embed if from an untrusted source.

@mikeshardmind mikeshardmind changed the title [V3] ctx.send modifications [V3] ctx.send modifications and other output sanitization Aug 9, 2018
@Tobotimus Tobotimus assigned calebj and unassigned aikaterna Aug 9, 2018
@Tobotimus Tobotimus modified the milestones: Beta 19, Future release Aug 12, 2018
@mikeshardmind
Copy link
Contributor Author

A note on behavior in embeds. It seems at some point after the August 4th raiding incident, discord Changed the behavior of invites to not be rendered in embeds. They are still rendered when in code blocks, and in a modlog entry we probably shouldn't be advertising servers just because someone having a mod action done to them was named as an invite. This leaves verifying all of the other locations for this behavior at a much lower priority, but still able to be changed as needed at a later date.

Michael H and others added 3 commits August 22, 2018 02:52
@mikeshardmind mikeshardmind requested a review from tekulvw as a code owner August 24, 2018 13:41
@Tobotimus Tobotimus added the Type: Enhancement Something meant to enhance existing Red features. label Aug 24, 2018
@Tobotimus Tobotimus added QA: Passed Used by few QA members. Has been approved by the assigned QA member(s). Type: Fix and removed QA: Needed labels Aug 24, 2018
@Tobotimus Tobotimus merged commit 77944e1 into Cog-Creators:V3/develop Aug 24, 2018
@Tobotimus Tobotimus mentioned this pull request Aug 24, 2018
Closed
@mikeshardmind mikeshardmind deleted the V3/mass-mention-avoidance branch December 26, 2019 17:01
@Jackenmen Jackenmen added the Type: Bug Unexpected behavior, result, or exception. In case of PRs, it is a fix for the foregoing. label Jul 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tobotimus Tobotimus Tobotimus approved these changes

@Twentysix26 Twentysix26 Awaiting requested review from Twentysix26

@palmtree5 palmtree5 Awaiting requested review from palmtree5

@tekulvw tekulvw Awaiting requested review from tekulvw

Assignees

@calebj calebj

Labels
QA: Passed Used by few QA members. Has been approved by the assigned QA member(s). Type: Bug Unexpected behavior, result, or exception. In case of PRs, it is a fix for the foregoing. Type: Enhancement Something meant to enhance existing Red features.
Projects
None yet
Milestone
3.0.0b20
Development

Successfully merging this pull request may close these issues.
8 participants
@mikeshardmind @qwazwsx @Twentysix26 @Tobotimus @calebj @Jackenmen @Kowlin @aikaterna