alekeagle / dadbot Goto Github PK
View Code? Open in Web Editor NEWDad Bot Mega Pog edition! (now with 20% more TypeScript!)
Home Page: https://alekeagle.com/dad-bot
License: GNU Affero General Public License v3.0
dadbot's Introduction
dadbot's People
Contributors
Stargazers
Watchers
Forkers
nexinfinite benricheson101 picklerat murmiration claywahlstrom faith-ie dahyper ooferchild xonire foxite callmekarltondadbot's Issues
CPU usage reporting is the opposite of good
CPU usage reporting is very not good via NodeJS. Try to find a native method to do it via the system, not NodeJS.
kys detection not working as intended
The regex for kys detection in autoresponse doesn't seem to catch "kill yourself" or "kill your self" and only react to "kys".
This has been reflected in the bot's actual behavior, where the bot would react to "kys" but not "kill yourself".
This approach is one of possible fixes (ignore the /gm)
CVE-2019-10744 (High) detected in lodash-4.17.11.tgz
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /dadbot/package.json
Path to vulnerable library: /tmp/git/dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
- sequelize-5.8.11.tgz (Root Library)
- ❌ lodash-4.17.11.tgz (Vulnerable Library)
Found in HEAD commit: d20ae948ab5c99335c05217149c5b8a266881c12
Vulnerability Details
A Prototype Pollution vulnerability was found in lodash through version 4.17.11.
Publish Date: 2019-07-08
URL: CVE-2019-10744
CVSS 2 Score Details (7.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@a01e4fa
Release Date: 2019-07-08
Fix Resolution: 4.17.12
Step up your Open Source Security Game with WhiteSource here
it's telling me to not say shut up in the name of the christian minecraft server owner but im the owner of the discord server
how do i make it not say that when i say shut up
WS-2020-0070 (High) detected in lodash-4.17.15.tgz
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/dadbot/package.json
Path to vulnerable library: /tmp/ws-scm/dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
- perspective-api-client-3.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 4d0da022e836cce565c58f867a51c9c11bd0ec8b
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with WhiteSource here
CVE-2021-32696 (Medium) detected in striptags-3.1.1.tgz
CVE-2021-32696 - Medium Severity Vulnerability
Vulnerable Library - striptags-3.1.1.tgz
PHP strip_tags in Node.js
Library home page: https://registry.npmjs.org/striptags/-/striptags-3.1.1.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/striptags/package.json
Dependency Hierarchy:
- perspective-api-client-3.1.0.tgz (Root Library)
- ❌ striptags-3.1.1.tgz (Vulnerable Library)
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Vulnerability Details
The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.
Publish Date: 2021-06-18
URL: CVE-2021-32696
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qxg5-2qff-p49r
Release Date: 2021-06-18
Fix Resolution: striptags - 3.2.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-32640 (Medium) detected in ws-7.4.5.tgz
CVE-2021-32640 - Medium Severity Vulnerability
Vulnerable Library - ws-7.4.5.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/ws/package.json
Dependency Hierarchy:
- eris-0.14.1.tgz (Root Library)
- ❌ ws-7.4.5.tgz (Vulnerable Library)
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
- perspective-api-client-3.1.0.tgz (Root Library)
- ❌ lodash-4.17.20.tgz (Vulnerable Library)
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23337 (High) detected in lodash-4.17.20.tgz
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
- perspective-api-client-3.1.0.tgz (Root Library)
- ❌ lodash-4.17.20.tgz (Vulnerable Library)
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
how to access all of these commands
Consider adding an open source license
It doesn't look like you have a problem with people hosting their own instance of dad bot (which is great considering the current situation) but since there isn't an open source license, modifying a private instance is not allowed I think (since the default is all rights reserved).
If this is what you want, it's probably a good idea to add a license file that just says "All rights reserved" or something.
If you want modified private instances to be open-source I suggest choosing AGPL, otherwise ISC will probably suffice (as it is used in cluster client). If you really don't care what people do with it, you could choose Unlicense. But please do inform yourself about all options here: https://choosealicense.com/
Add a SFW toggle?
Hi, i run a small discord server with dad bot, and there are quite alot of very lewd and NSFW jokes and other things with this bot, because i love the concept, but don't like the fact that there's all the lewd stuff.
Maybe have a command like d!nsfw?
I do know that it would requite alot of refactoring of the codebase though, so this might be a bit of a tall ask.
CVE-2019-10752 (High) detected in sequelize-5.12.2.tgz
CVE-2019-10752 - High Severity Vulnerability
Vulnerable Library - sequelize-5.12.2.tgz
Multi dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-5.12.2.tgz
Path to dependency file: /tmp/ws-scm/dadbot/package.json
Path to vulnerable library: /dadbot/node_modules/sequelize/package.json
Dependency Hierarchy:
- ❌ sequelize-5.12.2.tgz (Vulnerable Library)
Found in HEAD commit: 73f8fabe080c6ab870464da1b12c820b577efe11
Vulnerability Details
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
Publish Date: 2019-10-17
URL: CVE-2019-10752
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752
Release Date: 2019-09-24
Fix Resolution: 4.44.3,5.15.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28168 (Medium) detected in axios-0.18.1.tgz
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.18.1.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/axios/package.json
Dependency Hierarchy:
- perspective-api-client-3.1.0.tgz (Root Library)
- ❌ axios-0.18.1.tgz (Vulnerable Library)
Found in HEAD commit: 4b11ceffca5a57fe0091dbf5e9acdf84ba751793
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with WhiteSource here
DiscordRESTError [50013]: DiscordRESTError [50013]: Missing Permissions
Sentry Issue: DAD-BOT-3
DiscordRESTError [50013]: DiscordRESTError [50013]: Missing Permissions
File "/home/pi/Dad_Bot/cmds/dadjoke.js", line 13, in Object.exec
msg.channel.createMessage(lists.jokes[Math.floor(Math.random() * lists.jokes.length)]);
File "/home/pi/Dad_Bot/bot.js", line 169, in Command.client.registerCommand [as execute]
client.registerCommand(cmdFile.name, (msg, args) => cmdFile.exec(client, msg, args), cmdFile.options)
...
(5 additional frame(s) were not displayed)
DiscordRESTError [50013]: DiscordRESTError [50013]: Missing Permissions
Vulnerable to Quantum Bit Flip
Due to the massive size of Dad Bot, it caused him to be very vulnerable to Quantum Bit Shift
cant run bot
Where can I add bot token to make it run?
repurpose Prefixes table as generic server info store
The main thing I want to do today is allow server admins to opt out of the global sex alarm, because I consider it a privacy risk.
To do this I think it's best to add a command for server admins to change their optout status, and track it in the database.
We have a table that stores the prefixes of all servers. We could extend this table to track the optout status of each server. We'd have to add a column to a table with, I don't know but you do, potentially millions of records. This might put the database out of commission for a while. I don't know how long exactly, depends on your server's hardware.
Do you think this is a good idea?
An alternative is to add a new table just for this.
remove @danii from the team because he is dumb
Try to reduce bot ping at peak usage
Ping during peak times is 250% higher than during off times, and is worse than what was observed during peak times with pre TS rewrite. I assume it has something to do with DB polling and the fact that there is no caching. I am debating if I should reimplement caching.
where are you
you said you'd get cigarettes where did you go
Error: connect ETIMEDOUT 10.0.0.1:443
Sentry Issue: DAD-BOT-Q
Error: connect ETIMEDOUT 10.0.0.1:443
File "net.js", line 1117, in TCPConnectWrap.afterConnect [as oncomplete]
Error: connect ETIMEDOUT 10.0.0.1:443
CVE-2021-23358 (High) detected in underscore-1.12.0.tgz
CVE-2021-23358 - High Severity Vulnerability
Vulnerable Library - underscore-1.12.0.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.12.0.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/underscore/package.json
Dependency Hierarchy:
- pg-hstore-2.3.3.tgz (Root Library)
- ❌ underscore-1.12.0.tgz (Vulnerable Library)
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
Step up your Open Source Security Game with WhiteSource here
Dad Bot Doesn't Catch All Missing Permission Errors
Dad Bot does not catch every missing permissions error, notably in d!settings. As a result, the errors will typically go straight to the error console.
This is the known list of missing permission errors:
-
d!settings- Send Messages -
d!settings- Embed Links (Interestingly, needed to send embeds) -
d!settings- Add Reactions
Also, in some cases dad sends two messages for the same error.
WS-2019-0310 (Medium) detected in https-proxy-agent-2.2.1.tgz
WS-2019-0310 - Medium Severity Vulnerability
Vulnerable Library - https-proxy-agent-2.2.1.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz
Path to dependency file: /tmp/ws-scm/dadbot/package.json
Path to vulnerable library: /tmp/ws-scm/dadbot/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
- node-4.6.6.tgz (Root Library)
- ❌ https-proxy-agent-2.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 73f8fabe080c6ab870464da1b12c820b577efe11
Vulnerability Details
There is a Machine-In-The-Middle vulnerability found in https-proxy-agent before 2.2.3. There is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-12-01
URL: WS-2019-0310
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-12-01
Fix Resolution: https-proxy-agent - 2.2.3
Step up your Open Source Security Game with WhiteSource here
CVE-2021-3765 (High) detected in validator-13.6.0.tgz
CVE-2021-3765 - High Severity Vulnerability
Vulnerable Library - validator-13.6.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.6.0.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/validator/package.json
Dependency Hierarchy:
- sequelize-6.6.5.tgz (Root Library)
- ❌ validator-13.6.0.tgz (Vulnerable Library)
Found in HEAD commit: 4ca66cab220b9f3015c1fc39acd7203329b63088
Vulnerability Details
validator.js is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-11-02
URL: CVE-2021-3765
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-qgmg-gppg-76g5
Release Date: 2021-11-02
Fix Resolution: validator - 13.7.0
Step up your Open Source Security Game with WhiteSource here
*spelling error
misspelled 'orange' in data/lists.json
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.