From f1250748abbdc740ccc6dcbdc07402aa95d1538c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D1=82=D0=B2=D0=B8=D0=B5=D0=BD=D0=BA=D0=BE=20?= =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC?= Date: Mon, 6 Feb 2023 18:22:10 +0300 Subject: [PATCH 1/2] Fixing existing DB query injections --- commands/role/index.js | 13 ++++++++----- commands/voice/index.js | 12 ++++++------ commands/warn/Warn.js | 8 ++++---- commands/warn/WarnPagination.js | 6 +++--- init.js | 2 +- 5 files changed, 22 insertions(+), 19 deletions(-) diff --git a/commands/role/index.js b/commands/role/index.js index f0f8029..9ac1b7f 100644 --- a/commands/role/index.js +++ b/commands/role/index.js @@ -66,6 +66,7 @@ class Roles extends BaseCommand { * @param {CommandInteraction} int */ async slash (int) { + console.time('1') const member = int.member; const permission = this.permission(member); @@ -79,7 +80,8 @@ class Roles extends BaseCommand { if (members) { members = members.replace(/[^-_\w]/g, ' ').match(/[0-9]+/g); } - + console.timeEnd('1') + console.time('2') if (!role) { if (permission && create) { role = (await this.create( @@ -99,8 +101,8 @@ class Roles extends BaseCommand { }); } } - - + console.timeEnd('2') + console.time('3') if (!members || !permission) { toggleRole(role, member, int.member).then(result => { int.reply({ @@ -115,10 +117,10 @@ class Roles extends BaseCommand { }); } else { if (!int.replied) { - await int.reply({ + int.reply({ content: 'Запускаю выдачу ролей', allowedMentions: constants.AM_NONE - }); + }).catch(e => {console.log(e)}); } members.forEach(user => { @@ -136,6 +138,7 @@ class Roles extends BaseCommand { }); }); } + console.timeEnd('3') } /** diff --git a/commands/voice/index.js b/commands/voice/index.js index 6d709d6..fc593f6 100644 --- a/commands/voice/index.js +++ b/commands/voice/index.js @@ -100,7 +100,7 @@ class Voice extends BaseCommand { async slash (int) { if (int.options.getSubcommand() === 'auto-sync') { await int.deferReply({ ephemeral: true }); - DB.query(`UPDATE users SET mode = "${int.options.getString('mode')}" WHERE id = ${int.user.id};`)[0]; + DB.query(`UPDATE users SET mode = ? WHERE id = ?;`, [int.options.getString('mode'), int.user.id])[0]; await int.editReply({ content: reaction.emoji.success + ' ' + int.str('Settings changed'), ephemeral: true @@ -193,7 +193,7 @@ class Voice extends BaseCommand { async create (data) { let preset; try { - preset = DB.query(`SELECT * FROM users WHERE id = '${data.member.id}';`)[0]; + preset = DB.query(`SELECT * FROM users WHERE id = ?;`, [data.member.id])[0]; } catch (e) { console.log('DB error occurred:\n' + e); } @@ -286,10 +286,10 @@ class Voice extends BaseCommand { userLimit: voice.channel.userLimit }); if (DB.query( - `SELECT * FROM users WHERE id = ${voice.member.user.id};`)[0]) { + `SELECT * FROM users WHERE id = ?;`, [voice.member.user.id])[0]) { DB.query( - `UPDATE users SET voice_data = ? WHERE id = ${voice.member.user.id};`, - [voice_data] + `UPDATE users SET voice_data = ? WHERE id = ?;`, + [voice_data, voice.member.user.id] )[0]; } else { DB.query( @@ -305,7 +305,7 @@ class Voice extends BaseCommand { */ async sync (voice) { let voiceConfiguration = JSON.parse(( - DB.query(`SELECT * FROM users WHERE id = ${voice.member.user.id};`)[0] + DB.query(`SELECT * FROM users WHERE id = ?;`, [voice.member.user.id])[0] ).voice_data); if (!voiceConfiguration) return 'There is no data entry in the database associated with you. Use `/upload` to fix it.'; diff --git a/commands/warn/Warn.js b/commands/warn/Warn.js index 40cea9b..1e4ab45 100644 --- a/commands/warn/Warn.js +++ b/commands/warn/Warn.js @@ -274,9 +274,9 @@ class Warn { */ static last (target) { const query = target - ? `SELECT * FROM warns WHERE id = (SELECT MAX(id) FROM warns WHERE target = ${target})` + ? `SELECT * FROM warns WHERE id = (SELECT MAX(id) FROM warns WHERE target = ?)` : `SELECT * FROM warns WHERE id = (SELECT MAX(id) FROM warns)`; - const data = DB.query(query); + const data = DB.query(query, target ? [target] : undefined); if (!data[0]) return undefined; return new this(data[0]); @@ -290,9 +290,9 @@ class Warn { */ static all (target) { const query = target - ? `SELECT * FROM warns WHERE NOT flags & 4 AND target = ${target}` + ? `SELECT * FROM warns WHERE NOT flags & 4 AND target = ?` : `SELECT * FROM warns WHERE NOT flags & 4`; - const data = DB.query(query); + const data = DB.query(query, target ? [target] : undefined); let warns = []; for (let i = data.length; i >= 0; i--) { diff --git a/commands/warn/WarnPagination.js b/commands/warn/WarnPagination.js index c10a697..42db0b1 100644 --- a/commands/warn/WarnPagination.js +++ b/commands/warn/WarnPagination.js @@ -56,12 +56,12 @@ class WarnPagination { const skip = this.pageCount * (this.pageNumber - 1); const query = target - ? `FROM warns WHERE target = ${this.target.id} AND NOT flags & 4` + ? `FROM warns WHERE target = ? AND NOT flags & 4` : `FROM warns WHERE NOT flags & 4`; - this.count = DB.query('SELECT COUNT(*) AS count ' + query)[0].count; + this.count = DB.query('SELECT COUNT(*) AS count ' + query, target ? [this.target.id] : undefined)[0].count; const data = DB.query( 'SELECT * ' + query + ' ORDER BY id DESC LIMIT ?, ?', - [skip, this.pageCount] + target ? [this.target.id, skip, this.pageCount] : [skip, this.pageCount] ); for (const row of data) { diff --git a/init.js b/init.js index d4578b3..6fb025e 100644 --- a/init.js +++ b/init.js @@ -25,7 +25,7 @@ const init = [ * Пример: "help" * @type {string[]} */ -global.debugAllowModules = []; +global.debugAllowModules = ['levels', 'handler']; module.exports = async () => { From 4644c435c4205ad76ce70ab15c36959bb12aec30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D1=82=D0=B2=D0=B8=D0=B5=D0=BD=D0=BA=D0=BE=20?= =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC?= Date: Mon, 6 Feb 2023 18:24:05 +0300 Subject: [PATCH 2/2] Disable debug mode --- init.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.js b/init.js index 6fb025e..d4578b3 100644 --- a/init.js +++ b/init.js @@ -25,7 +25,7 @@ const init = [ * Пример: "help" * @type {string[]} */ -global.debugAllowModules = ['levels', 'handler']; +global.debugAllowModules = []; module.exports = async () => {