New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(Sharding*): contexts for broadcastEval #5756
feat(Sharding*): contexts for broadcastEval #5756
Conversation
Co-authored-by: Antonio Román <kyradiscord@gmail.com>
Is there something speaking against requiring a function to be passed? |
Updated the PR with this suggestion! 😄 |
…n error Co-authored-by: SpaceEEC <spaceeec@yahoo.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more thing
Co-authored-by: SpaceEEC <spaceeec@yahoo.com>
Please describe the changes this PR makes and why it should be merged:
This allows developers to write safer eval code by allowing them to pass functions and contexts to
broadcastEval
in bothShardClientUtil
andShardingManager
.This avoids directly injecting malicious code into your eval scripts. Instead, you can treat your functions as templates (which you can make sure are safe) which are then injected with a context later on.
For example, the following code is vulnerable (taken and adapted from https://github.com/oadpoaw/discordjs-bot-rce). It's important to recognise that this isn't a security issue with discord.js -- using eval is inherently dangerous, and this is the clearest case of passing unsanitised input to eval.
While this isn't a security issue with discord.js, we can definitely make it much easier to write safer code. The following code snippet is not vulnerable.
It's important to note that the context you pass (e.g. in the above example, the context is
{ userId: unsafe }
must be JSON-serializable. This means you can't pass complex data types in the context directly.This PR removes support for calling
broadcastEval
with strings to enforce better practice with security.Status and versioning classification: