alekeagle / dadbot Goto Github PK
View Code? Open in Web Editor NEWDad Bot Mega Pog edition! (now with 20% more TypeScript!)
Home Page: https://alekeagle.com/dad-bot
License: GNU Affero General Public License v3.0
Dad Bot Mega Pog edition! (now with 20% more TypeScript!)
Home Page: https://alekeagle.com/dad-bot
License: GNU Affero General Public License v3.0
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /dadbot/package.json
Path to vulnerable library: /tmp/git/dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d20ae948ab5c99335c05217149c5b8a266881c12
A Prototype Pollution vulnerability was found in lodash through version 4.17.11.
Publish Date: 2019-07-08
URL: CVE-2019-10744
Type: Upgrade version
Origin: lodash/lodash@a01e4fa
Release Date: 2019-07-08
Fix Resolution: 4.17.12
Step up your Open Source Security Game with WhiteSource here
how do i make it not say that when i say shut up
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/dadbot/package.json
Path to vulnerable library: /tmp/ws-scm/dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 4d0da022e836cce565c58f867a51c9c11bd0ec8b
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
PHP strip_tags in Node.js
Library home page: https://registry.npmjs.org/striptags/-/striptags-3.1.1.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/striptags/package.json
Dependency Hierarchy:
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags
to concatenate unsanitized strings when an array-like object is passed in as the html
parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.
Publish Date: 2021-06-18
URL: CVE-2021-32696
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qxg5-2qff-p49r
Release Date: 2021-06-18
Fix Resolution: striptags - 3.2.0
Step up your Open Source Security Game with WhiteSource here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
It doesn't look like you have a problem with people hosting their own instance of dad bot (which is great considering the current situation) but since there isn't an open source license, modifying a private instance is not allowed I think (since the default is all rights reserved).
If this is what you want, it's probably a good idea to add a license file that just says "All rights reserved" or something.
If you want modified private instances to be open-source I suggest choosing AGPL, otherwise ISC will probably suffice (as it is used in cluster client). If you really don't care what people do with it, you could choose Unlicense. But please do inform yourself about all options here: https://choosealicense.com/
Hi, i run a small discord server with dad bot, and there are quite alot of very lewd and NSFW jokes and other things with this bot, because i love the concept, but don't like the fact that there's all the lewd stuff.
Maybe have a command like d!nsfw
?
I do know that it would requite alot of refactoring of the codebase though, so this might be a bit of a tall ask.
Multi dialect ORM for Node.JS
Library home page: https://registry.npmjs.org/sequelize/-/sequelize-5.12.2.tgz
Path to dependency file: /tmp/ws-scm/dadbot/package.json
Path to vulnerable library: /dadbot/node_modules/sequelize/package.json
Dependency Hierarchy:
Found in HEAD commit: 73f8fabe080c6ab870464da1b12c820b577efe11
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
Publish Date: 2019-10-17
URL: CVE-2019-10752
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752
Release Date: 2019-09-24
Fix Resolution: 4.44.3,5.15.1
Step up your Open Source Security Game with WhiteSource here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 4b11ceffca5a57fe0091dbf5e9acdf84ba751793
Found in base branch: master
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Sentry Issue: DAD-BOT-3
DiscordRESTError [50013]: DiscordRESTError [50013]: Missing Permissions
File "/home/pi/Dad_Bot/cmds/dadjoke.js", line 13, in Object.exec
msg.channel.createMessage(lists.jokes[Math.floor(Math.random() * lists.jokes.length)]);
File "/home/pi/Dad_Bot/bot.js", line 169, in Command.client.registerCommand [as execute]
client.registerCommand(cmdFile.name, (msg, args) => cmdFile.exec(client, msg, args), cmdFile.options)
...
(5 additional frame(s) were not displayed)
DiscordRESTError [50013]: DiscordRESTError [50013]: Missing Permissions
Due to the massive size of Dad Bot, it caused him to be very vulnerable to Quantum Bit Shift
Where can I add bot token to make it run?
The main thing I want to do today is allow server admins to opt out of the global sex alarm, because I consider it a privacy risk.
To do this I think it's best to add a command for server admins to change their optout status, and track it in the database.
We have a table that stores the prefixes of all servers. We could extend this table to track the optout status of each server. We'd have to add a column to a table with, I don't know but you do, potentially millions of records. This might put the database out of commission for a while. I don't know how long exactly, depends on your server's hardware.
Do you think this is a good idea?
An alternative is to add a new table just for this.
Ping during peak times is 250% higher than during off times, and is worse than what was observed during peak times with pre TS rewrite. I assume it has something to do with DB polling and the fact that there is no caching. I am debating if I should reimplement caching.
you said you'd get cigarettes where did you go
Sentry Issue: DAD-BOT-Q
Error: connect ETIMEDOUT 10.0.0.1:443
File "net.js", line 1117, in TCPConnectWrap.afterConnect [as oncomplete]
Error: connect ETIMEDOUT 10.0.0.1:443
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.12.0.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/underscore/package.json
Dependency Hierarchy:
Found in HEAD commit: c11022a7dce1aeb57a10362440a8d250763cc47d
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
Step up your Open Source Security Game with WhiteSource here
Dad Bot does not catch every missing permissions error, notably in d!settings
. As a result, the errors will typically go straight to the error console.
This is the known list of missing permission errors:
d!settings
- Send Messagesd!settings
- Embed Links (Interestingly, needed to send embeds)d!settings
- Add ReactionsAlso, in some cases dad sends two messages for the same error.
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz
Path to dependency file: /tmp/ws-scm/dadbot/package.json
Path to vulnerable library: /tmp/ws-scm/dadbot/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 73f8fabe080c6ab870464da1b12c820b577efe11
There is a Machine-In-The-Middle vulnerability found in https-proxy-agent before 2.2.3. There is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-12-01
URL: WS-2019-0310
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-12-01
Fix Resolution: https-proxy-agent - 2.2.3
Step up your Open Source Security Game with WhiteSource here
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.6.0.tgz
Path to dependency file: dadbot/package.json
Path to vulnerable library: dadbot/node_modules/validator/package.json
Dependency Hierarchy:
Found in HEAD commit: 4ca66cab220b9f3015c1fc39acd7203329b63088
validator.js is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-11-02
URL: CVE-2021-3765
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qgmg-gppg-76g5
Release Date: 2021-11-02
Fix Resolution: validator - 13.7.0
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.