[Security] DoS via SSRF / LFI in .rss command (Process hangs on file:///dev/zero) #929
Description
The Vulnerability:
The .rss command lacks URI schema validation, allowing users to pass non-HTTP schemas like file://.
/plugins/feeds.py
The Exploit:
A malicious user can execute .rss file:///dev/zero.
The Impact:
Because /dev/zero outputs an infinite stream of null bytes, the underlying feed parser gets trapped in an endless read loop. This locks the bot's main event loop. The bot stops responding to IRC PING requests and is forcefully disconnected by the server (Remote host closed the connection), effectively acting as a Denial of Service (DoS) attack. If the IRC server does not disconnect the bot, it will eventually crash the host via an Out-Of-Memory (OOM) exception.
Proposed Fix:
Implement strict schema validation (e.g., using urllib.parse.urlparse) before passing the user's string to the feed parser. The command should reject any URL where the scheme is not explicitly http or https.
Default configuration and installation.
Log from bot.log
[2600net:malicioususer] .rss file:///dev/zero
log from IRC:
<*buffextras> JARVIS!cloudbot@just.a.rather.very.intelligent.system quit: Remote host closed the connection
Without further research I just disabled the command for now.
Possible untested fix:
--- SSRF / LFI Patch ---
if not text.strip().startswith(('http://', 'https://')):
reply("Error: Invalid URL. Only HTTP and HTTPS feeds are supported.")
return
# ------------------------