2.1 KiB
2.1 KiB
| id | type | title | tags | importance | confidence | created | updated | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 04acc924-feff-41fe-a4f5-b7accc1d04ee | fix | Fix: 7 security issues in major-domo-v2 - hardcoded key, URL encoding, error leaks, bare excepts, guild guard, md5 |
|
0.8 | 0.8 | 2026-02-20T16:50:22.694706+00:00 | 2026-02-20T16:50:22.694706+00:00 |
Security Fixes Batch: major-domo discord-app-v2
Commit: f4be20a on fix/security-issues branch, merged into next-release
Date: 2026-02-20
Issues Fixed
#19 - Hardcoded Giphy API key removed
- Was:
H86xibttEuUcslgmMM6uu74IgLEZ7UODhardcoded inconfig.py - Fix: Now loaded from
GIPHY_API_KEYenv var with empty string default - Key moved to
.env(gitignored),.env.exampleupdated - Production action required: Add
GIPHY_API_KEYto Akamai server env vars before deploying
#20 - URL parameter injection in APIClient
- File:
APIClient._add_params() - Fix: URL-encoded query parameter keys and values using
urllib.parse.quote()
#21 - Giphy search phrase injection
- Files:
get_disappointment_gif()andget_gif()methods - Fix: URL-encoded search phrases before passing to Giphy API
#22 - Internal exception messages leaking to Discord users
- Files:
transaction_embed.py,submit_scorecard.py - Was:
str(e)sent directly to Discord embed - Fix: Replaced with generic error messages
#23 - Bare except: clauses replaced
- Files:
transaction_freeze.py,transaction_embed.py,submit_scorecard.py - Replaced 7 bare
except:withexcept Exception:
#24 - Missing guild guard in role check
- File:
injuries/management.py→has_player_role() - Fix: Added
if interaction.guild is None: return Falseguard before guild access
#32 - MD5 replaced with SHA-256 for command hash
- File:
bot.py→_should_sync_commands()and_save_command_hash() - Was:
hashlib.md5()(cryptographically weak) - Fix:
hashlib.sha256()
Production Checklist
- Add
GIPHY_API_KEYenv var to Akamai server (ssh akamai→ editcontainer-data/major-domo/.env) - Deploy after
next-releasemerges tomain