New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

可能与格式化字符串有关的漏洞 #71

Open

RC-diamond-GH opened this issue Feb 13, 2024 · 1 comment

RC-diamond-GH commented Feb 13, 2024

机器人的“是不是”功能，在“是不是”后面的字符串包含大括号时，机器人将输出 Json 文本，如下所示：

Member

mystringEmpty commented Feb 14, 2024

首先这是一个脚本的注入漏洞——用户输入的内容不应该格式化，以免安全风险
这里附上我当时写的代码聊供参考，在这里用户文本被存入了msg.answer中而不会被二次转义

local question = msg.fromMsg:match(,"^[%s]*(.-)[%s]*$",msg.fromMsg:find("是")+#"是不是")
local answer = "是"
if(ranint(0,1)>0)then 
	answer = "并不是"
end
msg.answer = answer..(string.match(question,"^(.-)？$") or question)
if isFirstPerson then 
    return "{answer_yes_no_first_person}"
else
    return "{answer_yes_no}"
end

然后就是花括号{}为什么会打印出整个msg的内容的问题……这个是基于源码ManagerSystem.cpp内getContextItem函数的特性，当item为空字符串时，返回context本身，至于当时为什么要设计这个特性……忘了。所以暂时应该不会改动。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment