cal/claude-memory
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

store: Fix: 7 security issues in major-domo-v2 - hardcoded key, URL encoding, error leaks, bare excepts, guild guard, md5

Browse Source
This commit is contained in:
Cal Corum 2026-02-20 10:50:22 -06:00
parent 49704ce186
commit 5a1a365b2d
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
graph/fixes/fix-7-security-issues-in-major-domo-v2-hardcoded-key-url-enc-04acc9.md Normal file
View File

@ -0,0 +1,53 @@
---
id: 04acc924-feff-41fe-a4f5-b7accc1d04ee
type: fix
title: "Fix: 7 security issues in major-domo-v2 - hardcoded key, URL encoding, error leaks, bare excepts, guild guard, md5"
tags: [major-domo, security, discord-bot, fix, python, gitea]
importance: 0.8
confidence: 0.8
created: "2026-02-20T16:50:22.694706+00:00"
updated: "2026-02-20T16:50:22.694706+00:00"
---
# Security Fixes Batch: major-domo discord-app-v2
**Commit:** `f4be20a` on `fix/security-issues` branch, merged into `next-release`
**Date:** 2026-02-20
## Issues Fixed
### #19 - Hardcoded Giphy API key removed
- Was: `H86xibttEuUcslgmMM6uu74IgLEZ7UOD` hardcoded in `config.py`
- Fix: Now loaded from `GIPHY_API_KEY` env var with empty string default
- Key moved to `.env` (gitignored), `.env.example` updated
- **Production action required:** Add `GIPHY_API_KEY` to Akamai server env vars before deploying
### #20 - URL parameter injection in APIClient
- File: `APIClient._add_params()`
- Fix: URL-encoded query parameter keys and values using `urllib.parse.quote()`
### #21 - Giphy search phrase injection
- Files: `get_disappointment_gif()` and `get_gif()` methods
- Fix: URL-encoded search phrases before passing to Giphy API
### #22 - Internal exception messages leaking to Discord users
- Files: `transaction_embed.py`, `submit_scorecard.py`
- Was: `str(e)` sent directly to Discord embed
- Fix: Replaced with generic error messages
### #23 - Bare `except:` clauses replaced
- Files: `transaction_freeze.py`, `transaction_embed.py`, `submit_scorecard.py`
- Replaced 7 bare `except:` with `except Exception:`
### #24 - Missing guild guard in role check
- File: `injuries/management.py``has_player_role()`
- Fix: Added `if interaction.guild is None: return False` guard before guild access
### #32 - MD5 replaced with SHA-256 for command hash
- File: `bot.py``_should_sync_commands()` and `_save_command_hash()`
- Was: `hashlib.md5()` (cryptographically weak)
- Fix: `hashlib.sha256()`
## Production Checklist
- Add `GIPHY_API_KEY` env var to Akamai server (`ssh akamai` → edit `container-data/major-domo/.env`)
- Deploy after `next-release` merges to `main`