United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.
For more details, check out my writeup
here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.
If you want to just look at the code, it's
here, on my GitHub.
My suspicions were right. I really appreciate your documentation of the security issues. It could help future devs to see what NS users expect in terms of security.
And these are by no means minor issues. A token leak? Plaintext passwords?
Why would you even consider passwords? At worst, you should store X-Pins and simply tell players not to log in if they want to use the bot for that nation.
And in Python you can rate limit by doing a sleep(.6) or checking a variable / attribute for when the last request was (for greater speed)— it's very easy. (edit: don't use sleep() for aync functions)
A useragent defines who's accessing the site— a browser will provide its version, for example. In the case of an API, you need to give at least some way to quickly contact you, like an email. And make the useragent consistent. Something like this: "Release Discord Bot; link to thread: [link]; email: [email]".
Uh, it’s also got silent failure conditions, and is confusing in the fact that it’s now using ElementTree despite using lxml and BeautifulSoup earlier. No clue why the switch.
Clear evidence that the "author" of this bot copied that code from somewhere else, and apparently without attribution. I definitely don't see why you'd need anything more than lxml to parse API requests.
You’ve also used f-strings wrong, so the User-Agent is now just “nation,” instead of the actual nation that the user starts the command with.
and it doesn’t even save the nation, it just saves the string “nation.”
Probably a lack of understanding of variables.
When Balasai gave me the code, he also gave me the password to his nation. Don’t ask me why. He saved it in a .json file in the bot folder, and then just… uploaded the .zip to our DMs. Again, cavalier attitude towards security overall. Don’t trust this bot.
Lol.
Edit:
lol what is this:
- Code: Select all
if str(ctx.author.id) in list(data):
with open("generalaccess.json", "r") as file:
data = json.load(file)
data.append(guildid)
with open("generalaccess.json", "w") as file:
json.dump(data, file)
await ctx.channel.send("gave access to guild")