fix(autocomplete): fix errors and db vulnerability where users were a…

…ble to query regex through searches
Discord-InterChat · Jan 25, 2024 · 1e0d44c · 1e0d44c
1 parent 978ded0
commit 1e0d44c
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 18 deletions.
diff --git a/src/commands/slash/Main/blacklist/index.ts b/src/commands/slash/Main/blacklist/index.ts
@@ -5,7 +5,7 @@ import {
   Collection,
   RESTPostAPIApplicationCommandsJSONBody,
 } from 'discord.js';
-import { handleError } from '../../../../utils/Utils.js';
+import { escapeRegexChars, handleError } from '../../../../utils/Utils.js';
 import BaseCommand from '../../../BaseCommand.js';
 import db from '../../../../utils/Db.js';
 
@@ -181,7 +181,7 @@ export default class BlacklistCommand extends BaseCommand {
     if (focusedHub.focused) {
       const hub = await db.hubs.findMany({
         where: {
-          name: { mode: 'insensitive', contains: focusedHub.value },
+          name: { mode: 'insensitive', contains: escapeRegexChars(focusedHub.value) },
           OR: [
             { ownerId: interaction.user.id },
             { moderators: { some: { userId: interaction.user.id } } },

diff --git a/src/commands/slash/Main/connection.ts b/src/commands/slash/Main/connection.ts
@@ -29,6 +29,7 @@ import {
   simpleEmbed,
   getOrCreateWebhook,
   setComponentExpiry,
+  escapeRegexChars,
 } from '../../../utils/Utils.js';
 import { t } from '../../../utils/Locale.js';
 
@@ -141,7 +142,7 @@ export default class Connection extends BaseCommand {
   }
 
   async autocomplete(interaction: AutocompleteInteraction): Promise<void> {
-    const focusedValue = interaction.options.getFocused();
+    const focusedValue = escapeRegexChars(interaction.options.getFocused());
 
     const isInDb = await db.connectedList.findMany({
       where: {

diff --git a/src/commands/slash/Main/hub/index.ts b/src/commands/slash/Main/hub/index.ts
@@ -9,7 +9,7 @@ import {
 } from 'discord.js';
 import BaseCommand from '../../../BaseCommand.js';
 import db from '../../../../utils/Db.js';
-import { handleError } from '../../../../utils/Utils.js';
+import { escapeRegexChars, handleError } from '../../../../utils/Utils.js';
 
 const hubOption: APIApplicationCommandBasicOption = {
   type: ApplicationCommandOptionType.String,
@@ -291,7 +291,7 @@ export default class Hub extends BaseCommand {
 
     const subcommand = interaction.options.getSubcommand();
     const subcommandGroup = interaction.options.getSubcommandGroup();
-    const focusedValue = interaction.options.getFocused();
+    const focusedValue = escapeRegexChars(interaction.options.getFocused());
     let hubChoices;
 
     if (subcommand === 'browse' || subcommand === 'join') {

diff --git a/src/commands/slash/Staff/find/index.ts b/src/commands/slash/Staff/find/index.ts
@@ -70,19 +70,17 @@ export default class Find extends BaseCommand {
       case 'server': {
         const guilds = interaction.client.guilds.cache;
         const focusedValue = interaction.options.getFocused().toLowerCase();
-        const choices: { name: string; id: string }[] = [];
+        const choices = guilds.map((guild) => ({ name: guild.name, value: guild.id }));
 
-        guilds.map((guild) => choices.push({ name: guild.name, id: guild.id }));
         const filtered = choices
           .filter(
             (choice) =>
               choice.name.toLowerCase().includes(focusedValue) ||
-              choice.id.toLowerCase().includes(focusedValue),
+              choice.value.toLowerCase().includes(focusedValue),
           )
-          .slice(0, 25)
-          .map((choice) => ({ name: choice.name, value: choice.id }));
+          .slice(0, 25);
 
-        interaction.respond(filtered);
+        await interaction.respond(filtered);
         break;
       }
 
@@ -101,7 +99,7 @@ export default class Find extends BaseCommand {
           .slice(0, 25)
           .map((choice) => ({ name: choice.username, value: choice.id }));
 
-        interaction.respond(filtered);
+        await interaction.respond(filtered);
         break;
       }
       default:

diff --git a/src/utils/Utils.ts b/src/utils/Utils.ts
@@ -272,17 +272,23 @@ export const parseTimestampFromId = (id: Snowflake) => {
   return timestamp + 1420070400000; // Discord epoch time
 };
 
-export const deleteMsgsFromDb = async (ids: string[]) => {
+export const deleteMsgsFromDb = async (broadcastMsgs: string[]) => {
   // delete all relations first and then delete the hub
-  const msgsToDelete = await db.broadcastedMessages.findMany({ where: { messageId: { in: ids } } });
+  const msgsToDelete = await db.broadcastedMessages.findMany({
+    where: { messageId: { in: broadcastMsgs } },
+  });
   if (!msgsToDelete) return;
 
-  await db.broadcastedMessages.deleteMany({
-    where: { messageId: { in: msgsToDelete.map(({ messageId }) => messageId) } },
+  const originalMsgIds = msgsToDelete.map(({ originalMsgId }) => originalMsgId);
+
+  const childrenBatch = db.broadcastedMessages.deleteMany({
+    where: { originalMsgId: { in: originalMsgIds } },
   });
-  await db.originalMessages.deleteMany({
-    where: { messageId: { in: msgsToDelete.map(({ originalMsgId }) => originalMsgId) } },
+  const originalBatch = db.originalMessages.deleteMany({
+    where: { messageId: { in: originalMsgIds } },
   });
+
+  return await db.$transaction([childrenBatch, originalBatch]);
 };
 
 export const channelMention = (channelId: Snowflake | null | undefined) => {
@@ -318,3 +324,7 @@ export const handleError = (e: Error, interaction?: Interaction) => {
 export const isDev = (userId: Snowflake) => {
   return DeveloperIds.includes(userId);
 };
+
+export const escapeRegexChars = (input: string): string => {
+  return input.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, '\\$&');
+};