DJS parsing
does DJS parse inputs from stuff like user tag to prevent exploits?
14 Replies
- What's your exact discord.js
npm list discord.js
and node node -v
version?
- Not a discord.js issue? Check out #other-js-ts.
- Consider reading #how-to-get-help to improve your question!
- Explain what exactly your issue is.
- Post the full error stack trace, not just the top part!
- Show your code!
- Issue solved? Press the button!
- ✅
Marked as resolved by OPWhat exploit?
Never heard of preventing an exploiting from parsing it
if you mean like, sql injection, then no it doesn't strip anything, that'd be unexpected behavior for most users
it should be safe to use ids directly however since that's not user input
but generally it's better to go for the safe route
stuff like format string breakout, the one i'm specifically thinking of is user tags
I'm not getting it
like if you have a string like console.log(`tag ${user.tag}`) you can breakout of that with the right input
you can't though? :Thonk:
and that can lead to RCE
unless you're evalling that input
and at that point they can do anything
ok maybe not in that example, but other inputs you can
true
it's just a string, they can't make the string do anything by itself
the only thing that can happen is if you then use that string somewhere else
eg sql injection
ah ok that makes sense
i just realized i was thinking more about C printf exploits not js :patrickconcern:
oh yeah that exploit would make sense in C
in js it'd just be treated as a regular string, even if it contains ${} and it's inside ``
ahhh ok that makes sense
ty