Allow bot accounts to reset their own token
The title says it all. But wait a minute, let me explain!
We've all heard of eval commands, correct? They allow specific people to run commands in the bot. The problem is that catching every possible way for the token to be leaked by the command is needlessly excessive.
So, I propose that the bot scans every message it sends itself to search for the token. If the bot finds the token, it automatically resets the token (changing a number of variables including the token that is used to restart, config files etc) then notifies bot owners and carries on like it was before.
It's simple - trivial really - and effective. I don't see why you wouldn't implement it.
You can just search for the token text in the eval response before you send it to Discord, that should catch any accidents. If it's getting out any other way, you're unlikely to detect it either way.0
Fair argument but that takes some awkward rewriting to implement bot-wide, especially given that evaling a send can be done in a variety of ways.0
Just don't give everyone full access to eval0
Better yet, make your eval command botowner-only. Boom, problem solved.2
And if an owner goes rogue or makes a mistake?-1
Well thats his fault then1
You could also just look for the Token in every message and delete it, or as said search every eval message. Should only be 1-2 lines of code :/1
Just publish your own bot token to github gist via API - https://gist.github.com-1
Code eval(uation) should only be given to bot developers for testing purposes: people who would already have access to the bot code and token. I cannot stress enough how dangerous code evaluation is unless done in a sandbox/separate environment for anyone to use. Using eval, I could do much more than spam a couple guilds with pings. In most languages there are ways to completely delete an entire disk using just one eval command.
It's easy to implement a system to remove the token from a message in any programming language. You could:
- Copy and paste code to replace the bot token with nothing every time it is outputted (effort);
- Edit the library (if using a library) to replace any iterations of the bot token with nothing when sending a message;
- Write your own code if using your own wrapper/code
As for automatically resetting the token, you could in fact use an environment variable to store the token. When the bot token is detected using one of the methods above, either delete it, or reset the token by sending an HTTP request to the Discord Developers endpoint (will not go over that), copy the new token, and update the environment variable, or even use a headless browser to complete this action and restart the bot. If you really want to, you could even DM the bot owner(s) telling them about the token change along with the new token (just make sure it doesn't infinitely loop).
Not to say that this can be bypassed by evaluating the bot to send the first couple letters of the token and the last letters in 2 commands and paste them together.
As for the bot owner going "rogue" scenario: they could go "rogue" by editing the bot files (assuming they have access) to do whatever actions they want (equivalent to eval) and restart the bot using the evaluation command.1
Zaloguj się, aby dodać komentarz.