Merge pull request AnimeKaizoku#429 from AnimeKaizoku/shiken

feds: Fix authenticated remote code execution
aceleonister001 · May 30, 2021 · acd55f0 · acd55f0
2 parents 46f255b + 309b116
commit acd55f0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 18 deletions.
diff --git a/SaitamaRobot/modules/feds.py b/SaitamaRobot/modules/feds.py
@@ -1,3 +1,4 @@
+import ast
 import csv
 import json
 import os
@@ -280,7 +281,7 @@ def join_fed(update: Update, context: CallbackContext):
 
         get_fedlog = sql.get_fed_log(args[0])
         if get_fedlog:
-            if eval(get_fedlog):
+            if ast.literal_eval(get_fedlog):
                 bot.send_message(
                     get_fedlog,
                     "Chat *{}* has joined the federation *{}*".format(
@@ -316,7 +317,7 @@ def leave_fed(update: Update, context: CallbackContext):
         if sql.chat_leave_fed(chat.id) is True:
             get_fedlog = sql.get_fed_log(fed_id)
             if get_fedlog:
-                if eval(get_fedlog):
+                if ast.literal_eval(get_fedlog):
                     bot.send_message(
                         get_fedlog,
                         "Chat *{}* has left the federation *{}*".format(
@@ -374,7 +375,7 @@ def user_join_fed(update: Update, context: CallbackContext):
         getuser = sql.search_user_in_fed(fed_id, user_id)
         fed_id = sql.get_fed_id(chat.id)
         info = sql.get_fed_info(fed_id)
-        get_owner = eval(info["fusers"])["owner"]
+        get_owner = ast.literal_eval(info["fusers"])["owner"]
         get_owner = bot.get_chat(get_owner).id
         if user_id == get_owner:
             update.effective_message.reply_text(
@@ -1244,7 +1245,7 @@ def set_frules(update: Update, context: CallbackContext):
         getfed = sql.get_fed_info(fed_id)
         get_fedlog = sql.get_fed_log(fed_id)
         if get_fedlog:
-            if eval(get_fedlog):
+            if ast.literal_eval(get_fedlog):
                 bot.send_message(
                     get_fedlog,
                     "*{}* has updated federation rules for fed *{}*".format(
@@ -1758,7 +1759,7 @@ def fed_import_bans(update: Update, context: CallbackContext):
                 text += " {} Failed to import.".format(failed)
             get_fedlog = sql.get_fed_log(fed_id)
             if get_fedlog:
-                if eval(get_fedlog):
+                if ast.literal_eval(get_fedlog):
                     teks = "Fed *{}* has successfully imported data. {} banned.".format(
                         getfed["fname"], success,
                     )
@@ -1837,7 +1838,7 @@ def fed_import_bans(update: Update, context: CallbackContext):
                 text += " {} Failed to import.".format(failed)
             get_fedlog = sql.get_fed_log(fed_id)
             if get_fedlog:
-                if eval(get_fedlog):
+                if ast.literal_eval(get_fedlog):
                     teks = "Fed *{}* has successfully imported data. {} banned.".format(
                         getfed["fname"], success,
                     )
@@ -2274,7 +2275,7 @@ def is_user_fed_owner(fed_id, user_id):
     getsql = sql.get_fed_info(fed_id)
     if getsql is False:
         return False
-    getfedowner = eval(getsql["fusers"])
+    getfedowner = ast.literal_eval(getsql["fusers"])
     if getfedowner is None or getfedowner is False:
         return False
     getfedowner = getfedowner["owner"]

diff --git a/SaitamaRobot/modules/sql/feds_sql.py b/SaitamaRobot/modules/sql/feds_sql.py
@@ -1,3 +1,4 @@
+import ast
 import threading
 
 from SaitamaRobot import dispatcher
@@ -148,31 +149,31 @@ def get_user_fban(fed_id, user_id):
 def get_user_admin_fed_name(user_id):
     user_feds = []
     for f in FEDERATION_BYFEDID:
-        if int(user_id) in eval(eval(FEDERATION_BYFEDID[f]["fusers"])["members"]):
+        if int(user_id) in ast.literal_eval(ast.literal_eval(FEDERATION_BYFEDID[f]["fusers"])["members"]):
             user_feds.append(FEDERATION_BYFEDID[f]["fname"])
     return user_feds
 
 
 def get_user_owner_fed_name(user_id):
     user_feds = []
     for f in FEDERATION_BYFEDID:
-        if int(user_id) == int(eval(FEDERATION_BYFEDID[f]["fusers"])["owner"]):
+        if int(user_id) == int(ast.literal_eval(FEDERATION_BYFEDID[f]["fusers"])["owner"]):
             user_feds.append(FEDERATION_BYFEDID[f]["fname"])
     return user_feds
 
 
 def get_user_admin_fed_full(user_id):
     user_feds = []
     for f in FEDERATION_BYFEDID:
-        if int(user_id) in eval(eval(FEDERATION_BYFEDID[f]["fusers"])["members"]):
+        if int(user_id) in ast.literal_eval(ast.literal_eval(FEDERATION_BYFEDID[f]["fusers"])["members"]):
             user_feds.append({"fed_id": f, "fed": FEDERATION_BYFEDID[f]})
     return user_feds
 
 
 def get_user_owner_fed_full(user_id):
     user_feds = []
     for f in FEDERATION_BYFEDID:
-        if int(user_id) == int(eval(FEDERATION_BYFEDID[f]["fusers"])["owner"]):
+        if int(user_id) == int(ast.literal_eval(FEDERATION_BYFEDID[f]["fusers"])["owner"]):
             user_feds.append({"fed_id": f, "fed": FEDERATION_BYFEDID[f]})
     return user_feds
 
@@ -325,8 +326,8 @@ def search_user_in_fed(fed_id, user_id):
     getfed = FEDERATION_BYFEDID.get(fed_id)
     if getfed is None:
         return False
-    getfed = eval(getfed["fusers"])["members"]
-    if user_id in eval(getfed):
+    getfed = ast.literal_eval(getfed["fusers"])["members"]
+    if user_id in ast.literal_eval(getfed):
         return True
     else:
         return False
@@ -343,7 +344,7 @@ def user_demote_fed(fed_id, user_id):
         fed_log = getfed["flog"]
         # Temp set
         try:
-            members = eval(eval(getfed["fusers"])["members"])
+            members = ast.literal_eval(ast.literal_eval(getfed["fusers"])["members"])
         except ValueError:
             return False
         members.remove(user_id)
@@ -393,7 +394,7 @@ def user_join_fed(fed_id, user_id):
         fed_rules = getfed["frules"]
         fed_log = getfed["flog"]
         # Temp set
-        members = eval(eval(getfed["fusers"])["members"])
+        members = ast.literal_eval(ast.literal_eval(getfed["fusers"])["members"])
         members.append(user_id)
         # Set user
         FEDERATION_BYOWNER[str(owner_id)]["fusers"] = str(
@@ -454,16 +455,16 @@ def all_fed_users(fed_id):
         getfed = FEDERATION_BYFEDID.get(str(fed_id))
         if getfed is None:
             return False
-        fed_owner = eval(eval(getfed["fusers"])["owner"])
-        fed_admins = eval(eval(getfed["fusers"])["members"])
+        fed_owner = ast.literal_eval(ast.literal_eval(getfed["fusers"])["owner"])
+        fed_admins = ast.literal_eval(ast.literal_eval(getfed["fusers"])["members"])
         fed_admins.append(fed_owner)
         return fed_admins
 
 
 def all_fed_members(fed_id):
     with FEDS_LOCK:
         getfed = FEDERATION_BYFEDID.get(str(fed_id))
-        fed_admins = eval(eval(getfed["fusers"])["members"])
+        fed_admins = ast.literal_eval(ast.literal_eval(getfed["fusers"])["members"])
         return fed_admins