NationStates

I had created a discord bot you can use it by clicking here and ask any questions in my support server now the bot is up and now it is working it doesnot need permissions also but it is now supporting nation only no autorecuritment you can pool about what to add to bot nest
the invite url is https://discord.com/api/oauth2/authoriz ... &scope=bot
and the code which is deploying is live here
https://github.com/talus-bot/talus-bot-deployment
if you want you can sponsor me to get a server currently it is hosted on replit now every part of code is open and i and i am ready to correct a mistake if you show to me in the support server here https://discord.gg/pUk8h5cMDQ
thank you

Now this bot lodge rmb messages into discord stay tuned for new updates

Now nation region and tgq are supported

It won’t let me utilize it, but I think it’s a problem on my end

Not it support cross server chat nation region tgq manual requritment and many other features

You clearly have no idea how to code.

Getting the daily dumps is trivial (use requests and xmltodict). And you were ratelimited because the API rate limits based on IPs, not useragents. You can't limit your requests based on different users, because all requests are made by the server hosting the bot.

So, where are you getting your code from? Would you even understand the code you take? Why should we trust this bot?

This is constructive criticism. I recommend you use the copious resources available online to get up to snuff. There are free YouTube videos, books, and online courses. As well as pretty well-made reference manuals for Python and all major libraries. You could, if you wish, watch every (or at least most) Coursera class for free by simply auditing the class (you won't receive a certificate is all)— there's lots and lots of great coding stuff there.

Twertis wrote:You clearly have no idea how to code.

Getting the daily dumps is trivial (use requests and xmltodict). And you were ratelimited because the API rate limits based on IPs, not useragents. You can't limit your requests based on different users, because all requests are made by the server hosting the bot.

So, where are you getting your code from? Would you even understand the code you take? Why should we trust this bot?

This is constructive criticism. I recommend you use the copious resources available online to get up to snuff. There are free YouTube videos, books, and online courses. As well as pretty well-made reference manuals for Python and all major libraries. You could, if you wish, watch every (or at least most) Coursera class for free by simply auditing the class (you won't receive a certificate is all)— there's lots and lots of great coding stuff there.

I had met similar people like you before they even don't try and says that you are not eligible bot is not good I cannot understand how can you say without trying try the bot first and I am challenging you if you find code to my features in web browser I will switch down bot those are hard work of mine I am trying every day to improve it the answer to question why should we trust is trust is based checked it i alrady gave link to support server come there and see it test it there if you are feeling good use it other wise report a problem don't message me like here I accept any suggestions sorry if you get hurt

Doesn't Nationstates already have an API that sends TGs out automatically?

Yes, they do, its how your spammed with all those TGs from those random Ros of regions you probably have never heard off or look at (No offence recruiters), also, it can't recruit on the RMB, because a lot of regions don't have the tag "Recruiter Friendly", which bans all recruiting on there RMB, so unless that bot can detect that tag (Which i will test, right now on one of my alt regions that i don't give two shits about, its just a N-day puppet storage) if it even works, will report back later

North American Imperial State wrote:Doesn't Nationstates already have an API that sends TGs out automatically?

Yes, they do, its how your spammed with all those TGs from those random Ros off regions you probably have never heard off or look at (No offence recruiters), also, it can't recruit on the RMB, because a lot of regions don't have the tag "Recruiter Friendly", which bans all recruiting on there RMB, so unless that bot can detect that tag (Which i will test, right now on one of my alt regions that i don't give two shits about, its just a N-day puppet storage) if it even works, will report back later

I cannot understand what you are saying come to support server and talk to me directly if I cannot answer come here and complain

Now nendo and rendo commands available in nendo you can check endosments of a nation and in rendo you can check endorsement of a delegate by using region name

Due to recent problems now bot moderation is happening you need to authenticate means taking permission in support server for use

For anybody who may be considering using this tool for regional recruitment, I would highly advise staying away from it for the time being. In addition to the concerns Twertis mentioned earlier, the project as a whole is of dubious quality, and may present some security concerns at moment (there was a token leak earlier which may or may not have been remedied). If you're looking for a regional recruitment tool, there are plenty of reputable alternatives here.

Zizou wrote:For anybody who may be considering using this tool for regional recruitment, I would highly advise staying away from it for the time being. In addition to the concerns Twertis mentioned earlier, the project as a whole is of dubious quality, and may present some security concerns at moment (there was a token leak earlier which may or may not have been remedied). If you're looking for a regional recruitment tool, there are plenty of reputable alternatives here.

If you have any problems report to me

Indian andhra wrote:

North American Imperial State wrote:Doesn't Nationstates already have an API that sends TGs out automatically?

Yes, they do, its how your spammed with all those TGs from those random Ros off regions you probably have never heard off or look at (No offence recruiters), also, it can't recruit on the RMB, because a lot of regions don't have the tag "Recruiter Friendly", which bans all recruiting on there RMB, so unless that bot can detect that tag (Which i will test, right now on one of my alt regions that i don't give two shits about, its just a N-day puppet storage) if it even works, will report back later

I cannot understand what you are saying come to support server and talk to me directly if I cannot answer come here and complain

come to server talk to me directly https://discord.gg/K3js9cct

I agree that there are minor security problems and I am working everyday to solve them but you people aren't reporting problems to me nor in server

For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

I just want to say, I appreciated the write-up.

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

Yeah, kinda expected that the bot was like that. Thanks for the information.

Wormfodder Delivery wrote:

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

Yeah, kinda expected that the bot was like that. Thanks for the information.

I agree to all these and ready to face action from now I don't want to do anything wrong it is in development I am not perfect in coding

Making this project public and giving help to all to use

Indian andhra wrote:

Wormfodder Delivery wrote:Yeah, kinda expected that the bot was like that. Thanks for the information.

I agree to all these and ready to face action from now I don't want to do anything wrong it is in development I am not perfect in coding

Nobody is perfect at coding, but... Really? Plaintext passwords? Even 10-year-old me knew how to hash stuff.

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

My suspicions were right. I really appreciate your documentation of the security issues. It could help future devs to see what NS users expect in terms of security.

And these are by no means minor issues. A token leak? Plaintext passwords?

Why would you even consider passwords? At worst, you should store X-Pins and simply tell players not to log in if they want to use the bot for that nation.

And in Python you can rate limit by doing a sleep(.6) or checking a variable / attribute for when the last request was (for greater speed)— it's very easy. (edit: don't use sleep() for aync functions)

A useragent defines who's accessing the site— a browser will provide its version, for example. In the case of an API, you need to give at least some way to quickly contact you, like an email. And make the useragent consistent. Something like this: "Release Discord Bot; link to thread: [link]; email: [email]".

Uh, it’s also got silent failure conditions, and is confusing in the fact that it’s now using ElementTree despite using lxml and BeautifulSoup earlier. No clue why the switch.

Clear evidence that the "author" of this bot copied that code from somewhere else, and apparently without attribution. I definitely don't see why you'd need anything more than lxml to parse API requests.

You’ve also used f-strings wrong, so the User-Agent is now just “nation,” instead of the actual nation that the user starts the command with.

and it doesn’t even save the nation, it just saves the string “nation.”

Probably a lack of understanding of variables.

When Balasai gave me the code, he also gave me the password to his nation. Don’t ask me why. He saved it in a .json file in the bot folder, and then just… uploaded the .zip to our DMs. Again, cavalier attitude towards security overall. Don’t trust this bot.

Lol.

Edit:

lol what is this:

Code: Select all

 if str(ctx.author.id) in list(data):
            with open("generalaccess.json", "r") as file:
                data = json.load(file)
                data.append(guildid)
            with open("generalaccess.json", "w") as file:
                json.dump(data, file)
                await ctx.channel.send("gave access to guild")

Twertis wrote:

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

My suspicions were right. I really appreciate your documentation of the security issues. It could help future devs to see what NS users expect in terms of security.

Thank you. I'd rather let people know what they're using than just... let them use it and get in serious trouble down the line.

Twertis wrote:And these are by no means minor issues. A token leak? Plaintext passwords?

Why would you even consider passwords? At worst, you should store X-Pins and simply tell players not to log in if they want to use the bot for that nation.

X-Pin is only good for two hours past idle, so realistically the function does need the password for the nation if it wants to be useful later on. I suppose it could make keepalive requests to the API, but still. Even then, storing an authentication token is a terrible idea, especially in plaintext.

Twertis wrote:And in Python you can rate limit by doing a sleep(.6) or checking a variable / attribute for when the last request was (for greater speed)— it's very easy. (edit: don't use sleep() for aync functions)

Or implement a very simple token bucket, or a number of other things, yeah. It's not difficult to ratelimit.

Twertis wrote:A useragent defines who's accessing the site— a browser will provide its version, for example. In the case of an API, you need to give at least some way to quickly contact you, like an email. And make the useragent consistent. Something like this: "Release Discord Bot; link to thread: [link]; email: [email]".

Yep.

Twertis wrote:

Uh, it’s also got silent failure conditions, and is confusing in the fact that it’s now using ElementTree despite using lxml and BeautifulSoup earlier. No clue why the switch.

Clear evidence that the "author" of this bot copied that code from somewhere else, and apparently without attribution. I definitely don't see why you'd need anything more than lxml to parse API requests.

I mean, ElementTree is wayyyy more efficient than BeautifulSoup + lxml. *as long as you're using it properly. lxml on its own is faster than elementtree, especially since it has its own implementation of iterparse.

Twertis wrote:

You’ve also used f-strings wrong, so the User-Agent is now just “nation,” instead of the actual nation that the user starts the command with.

and it doesn’t even save the nation, it just saves the string “nation.”

Probably a lack of understanding of variables.

Would not be surprised.

Twertis wrote:

When Balasai gave me the code, he also gave me the password to his nation. Don’t ask me why. He saved it in a .json file in the bot folder, and then just… uploaded the .zip to our DMs. Again, cavalier attitude towards security overall. Don’t trust this bot.

Lol.

Edit:

lol what is this:

Code: Select all

 if str(ctx.author.id) in list(data):
            with open("generalaccess.json", "r") as file:
                data = json.load(file)
                data.append(guildid)
            with open("generalaccess.json", "w") as file:
                json.dump(data, file)
                await ctx.channel.send("gave access to guild")

That's his "guild authentication" tool. No, it doesn't get used in a global check... the authentication is built into each function. Yes, it's that bad.

Flanderlion wrote:

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

I just want to say, I appreciated the write-up.

Hey, thanks! It was certainly something interesting to do at 1 in the morning.

Wormfodder Delivery wrote:

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

Yeah, kinda expected that the bot was like that. Thanks for the information.

Yeeeep.

It appears they offer an X-Autologin response specifically so you don’t have to store passwords in plaintext.