Headline
CVE-2021-29502: [WarnSystem] Safely format embed descriptions · laggron42/Laggrons-Dumb-Cogs@c79dd2c
WarnSystem is a cog (plugin) for the Red discord bot. A vulnerability has been found in the code that allows any user to access sensible informations by setting up a specific template which is not properly sanitized. The problem has been patched in version 1.3.18. Users should update and type !warnsysteminfo to check that their version is 1.3.18 or above. As a workaround users may unload the WarnSystem cog or disable the !warnset description command globally.
@@ -29,6 +29,26 @@
id_pattern = re.compile(r"([0-9]{15,21})$")
class SafeMember:
def __init__(self, member: discord.Member) -> None:
self.name = str(member.name)
self.display_name = str(member.display_name)
self.nick = str(member.nick)
self.id = str(member.id)
self.mention = str(member.mention)
self.discriminator = str(member.discriminator)
self.color = str(member.color)
self.colour = str(member.colour)
self.created_at = str(member.created_at)
self.joined_at = str(member.joined_at)
def __str__(self):
return self.name
def __getattr__(self, name):
return self
class FakeRole:
“"”
We need to fake some attributes of roles for the class UnavailableMember
@@ -622,9 +642,22 @@ async def get_embeds(
duration = self._format_timedelta(time)
else:
duration = _(“*[No time given]*”)
format_description = lambda x: x.format(
invite=invite, member=member, mod=author, duration=duration, time=today
)
def format_description(text):
try:
return text.format(
invite=invite,
member=SafeMember(member),
mod=SafeMember(author),
duration=duration,
time=today,
)
except Exception:
log.error(
f"[Guild {guild.id}] Failed to format description in embed", exc_info=True
)
return “Failed to format field.”
link = re.search(r"(https?://)\S+\.(jpg|jpeg|png|gif|webm)", reason)
# embed for the modlog