Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] /upload lets you pick (and delete!) arbitrary files from the host #129

Closed
LucentW opened this issue Oct 1, 2020 · 7 comments
Closed

[ISSUE] /upload lets you pick (and delete!) arbitrary files from the host #129

LucentW opened this issue Oct 1, 2020 · 7 comments

Comments

@LucentW
Copy link

LucentW commented Oct 1, 2020
edited
Loading

Describe the issue
As per title

what did you try ?
Steps to reproduce the behavior:

  1. /upload /etc/passwd

Expected behavior
Bot shouldn't pick files coming from outside the setup download directory.

Beware, you can even do /upload tobrot to remotely break someone's instance, it'll recurse into the entire tree, upload all files and delete everything
@LucentW LucentW changed the title [ISSUE] /upload lets you pick arbitrary files from the host [ISSUE] /upload lets you pick (and delete!) arbitrary files from the host Oct 1, 2020
@SpEcHiDe
Copy link
Owner

SpEcHiDe commented Oct 2, 2020
edited
Loading

the bot should only be used in small groups, by trusted users, also, /upload requires administrator priveleges in the group, so I don't think this is an issue 😬🤔

@LucentW LucentW mentioned this issue Oct 2, 2020
Closed
@davtur19
Copy link

davtur19 commented Oct 2, 2020

If you don't understand its importance, then you should stop programming
Close the repo or go back to all your projects and fix them ASAP, there can't be such stupid flaws in 2020

@SpEcHiDe
Copy link
Owner

SpEcHiDe commented Oct 2, 2020

i understand, but the command is triggered by a "human" and not a bot.
i require uploading some files (say in /var/log/), and hence had added this command. You are free to "fix" this in your repositories by forking, but atleast, in my opinion, #130 is not the correct solution.

also, please read this: https://t.me/c/1378533090/16624 before judging the intentions of this repository.

Repository owner deleted a comment Oct 2, 2020
@davtur19
Copy link

davtur19 commented Oct 2, 2020

No matter who executes the command, it is too dangerous, a program should be made with safety first of all.
For example, abusing inline bots you could make the admin do a command like this:
The admin runs an inline bot, sends the message with the /upload command (when you use an inline bot you don't know what you're going to write) and immediately the inline bot modifies it, so you don't notice what happened.
The problem is that with a stupid command you compromise the whole container and by the time you realize it it's already too late.

I don't care what you are doing with your repo, I care that you are spreading software with one (or more) backdoors to unaware users.

(Even if you didn't do it on purpose, it's technically a backdoor)

@SpEcHiDe
Copy link
Owner

SpEcHiDe commented Oct 2, 2020

Is it fine?

@SpEcHiDe SpEcHiDe reopened this Oct 2, 2020
@LucentW
Copy link
Author

LucentW commented Oct 2, 2020
edited
Loading

You just removed an empty comment line and tabbed it to have it disabled by default 😅
It doesn't really stop people from ul-ing and deleting random files off the host if dangerous commands are enabled, plus, since your Dockerfile runs the bot as root into the container, doing /upload / is the same as doing rm -rf /, but it'll leak all files in the process, potentially tokens and passwords too

Probably an idea is to add some sort of "whitelisted paths" into the configuration, if you need to fetch logs off /var/log, but sure leaving that as it is, lets authorized users break the container and render it unusable in a couple commands or just plain steal info off the filesystem

@SpEcHiDe
Copy link
Owner

SpEcHiDe commented Oct 3, 2020

/exec and /eval also does the same thing, but a little more dangerous than /upload.

I am not sure how would the "fix" be..

SpEcHiDe added a commit that referenced this issue Dec 7, 2020
@SpEcHiDe
add SUDO users, to fix sensitive commands, Thank You: https://t.me/c/…
1ee0048 
…1459557988/45270, #129 should be fine, now.
@SpEcHiDe SpEcHiDe closed this as completed Dec 7, 2020
bhoomi-s-007 added a commit to bhoomi-s-007/PublicLeech that referenced this issue Mar 26, 2021
@bhoomi-s-007 @SpEcHiDe
@SayanthD @gautamajay52
Merge (#1)
bdfb0e9 
* closes SpEcHiDe#122 and SpEcHiDe#124

* this should probably fix SpEcHiDe#129 🤔😑

* testing fixes

* add SUDO users, to fix sensitive commands, Thank You: https://t.me/c/1459557988/45270, SpEcHiDe#129 should be fine, now.

* copy from @gautamajay52

* fix requirements

* fix one derp, in BUTTONs mode

* Fix issues with ytdl on command input mode (SpEcHiDe#140)

* fixed issue where format selector menu got removed upon selecting any video format
* fixed ValueError on audio format selections

* Fix leeching torrent from links (SpEcHiDe#148)

* simple fix (SpEcHiDe#150)

Co-authored-by: Shrimadhav U K <[email protected]>
Co-authored-by: Sayanth Dinesh <[email protected]>
Co-authored-by: Sayanth Dinesh <[email protected]>
Co-authored-by: GautamKumar <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LucentW @SpEcHiDe @davtur19