Update security 3.2.2

Taaku18 · Taaku18 · commit e3d0f3e9db9a · 2019-09-15T22:33:53.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 This project mostly adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html);
 however, insignificant breaking changes does not guarantee a major version bump, see the reasoning [here](https://github.com/kyb3r/modmail/issues/319).
 
+# v3.2.2
+
+Security update!
+
+### Important
+
+- Supporter permission users used to be able to "hack" snippets to reveal all your config vars, including your token and MongoURI.
+- Implemented some changes to address this bug:
+  - All customizable variables used in snippets, close messages, etc, using the `{}` syntax, now forbids chaining 2 or more attributes and attributes that starts with `_`.
+- It is advised to update to this version.
+- If you felt your credentials have been leaked, consider changing your bot token / mongo uri.
+
 # v3.2.1
 
 ### Fixed
diff --git a/bot.py b/bot.py
@@ -1,4 +1,4 @@
-__version__ = "3.2.1"
+__version__ = "3.2.2"
 
 import asyncio
 import logging
@@ -33,7 +33,7 @@
 from core.clients import ApiClient, PluginDatabaseClient
 from core.config import ConfigManager
 from core.utils import human_join, strtobool, parse_alias
-from core.models import PermissionLevel, ModmailLogger
+from core.models import PermissionLevel, ModmailLogger, SafeFormatter
 from core.thread import ThreadManager
 from core.time import human_timedelta
 
@@ -69,6 +69,7 @@ def __init__(self):
         self._session = None
         self._api = None
         self.metadata_loop = None
+        self.formatter = SafeFormatter()
 
         self._connected = asyncio.Event()
         self.start_time = datetime.utcnow()
@@ -120,7 +121,7 @@ def uptime(self) -> str:
         if days:
             fmt = "{d}d " + fmt
 
-        return fmt.format(d=days, h=hours, m=minutes, s=seconds)
+        return self.formatter.format(fmt, d=days, h=hours, m=minutes, s=seconds)
 
     def _configure_logging(self):
         level_text = self.config["log_level"].upper()
@@ -837,7 +838,7 @@ async def process_commands(self, message):
                 thread = await self.threads.find(channel=message.channel)
                 snippet = self.snippets[cmd]
                 if thread:
-                    snippet = snippet.format(recipient=thread.recipient)
+                    snippet = self.formatter.format(snippet, recipient=thread.recipient)
                 message.content = f"{self.prefix}reply {snippet}"
 
         ctxs = await self.get_contexts(message)
diff --git a/core/models.py b/core/models.py
@@ -1,5 +1,7 @@
+import _string
 import logging
 from enum import IntEnum
+from string import Formatter
 
 from discord import Color, Embed
 from discord.ext import commands
@@ -85,3 +87,33 @@ class _Default:
 
 
 Default = _Default()
+
+
+class SafeFormatter(Formatter):
+
+    def get_field(self, field_name, args, kwargs):
+        first, rest = _string.formatter_field_name_split(field_name)
+
+        try:
+            obj = self.get_value(first, args, kwargs)
+        except (IndexError, KeyError):
+            return "<Invalid>", first
+
+        # loop through the rest of the field_name, doing
+        #  getattr or getitem as needed
+        # stops when reaches the depth of 2 or starts with _.
+        try:
+            for n, (is_attr, i) in enumerate(rest):
+                if n >= 2:
+                    break
+                if is_attr:
+                    if str(i).startswith('_'):
+                        break
+                    obj = getattr(obj, i)
+                else:
+                    obj = obj[i]
+            else:
+                return obj, first
+        except (IndexError, KeyError):
+            pass
+        return "<Invalid>", first
diff --git a/core/thread.py b/core/thread.py
@@ -393,8 +393,8 @@ async def _close(
             else:
                 message = self.bot.config["thread_close_response"]
 
-        message = message.format(
-            closer=closer, loglink=log_url, logkey=log_data["key"] if log_data else None
+        message = self.bot.formatter.format(
+            message, closer=closer, loglink=log_url, logkey=log_data["key"] if log_data else None
         )
 
         embed.description = message
@@ -492,7 +492,8 @@ async def _restart_close_timer(self):
             )
 
         # Grab message
-        close_message = self.bot.config["thread_auto_close_response"].format(
+        close_message = self.bot.formatter.format(
+            self.bot.config["thread_auto_close_response"],
             timeout=human_time
         )
 

Original file line number	Diff line number	Diff line change
`@@ -393,8 +393,8 @@ async def _close(`
`393`	`393`	`else:`
`394`	`394`	`message = self.bot.config["thread_close_response"]`
`395`	`395`
`396`		`- message = message.format(`
`397`		`- closer=closer, loglink=log_url, logkey=log_data["key"] if log_data else None`
	`396`	`+ message = self.bot.formatter.format(`
	`397`	`+ message, closer=closer, loglink=log_url, logkey=log_data["key"] if log_data else None`
`398`	`398`	`)`
`399`	`399`
`400`	`400`	`embed.description = message`
`@@ -492,7 +492,8 @@ async def _restart_close_timer(self):`
`492`	`492`	`)`
`493`	`493`
`494`	`494`	`# Grab message`
`495`		`- close_message = self.bot.config["thread_auto_close_response"].format(`
	`495`	`+ close_message = self.bot.formatter.format(`
	`496`	`+ self.bot.config["thread_auto_close_response"],`
`496`	`497`	`timeout=human_time`
`497`	`498`	`)`
`498`	`499`