feat(counting): +3 saves on 500 count#28
Conversation
Summary by BeetleThis PR introduces two distinct improvements to the Panda Bot: enhanced input validation for the profile editing system and a reward mechanism for the counting game. The changes focus on improving user experience through better error handling and adding engagement incentives. Additionally, the PR includes cleanup of deprecated moderation features from the configuration and documentation. 📁 File Changes Summary (Consolidated across all commits):
Total Changes: 4 files changed, +69 additions, -14 deletions 🗺️ Walkthrough:graph TD
A["User invokes /edit-profile command"] --> B["Collect input options"]
B --> C{"Switch Guard Validation"}
C -->|"Bio invalid"| D["Error: Bio length 2-200"]
C -->|"Country invalid"| E["Error: Country length 2-100"]
C -->|"Age invalid"| F["Error: Age range 1-1000"]
C -->|"Stack invalid"| G["Error: Stack length 2-200"]
C -->|"Hobbies invalid"| H["Error: Hobbies length 2-200"]
C -->|"GitHub invalid"| I["Error: Invalid GitHub URL"]
C -->|"Portfolio invalid"| J["Error: Invalid URL format"]
D --> K["Return ephemeral error message"]
E --> K
F --> K
G --> K
H --> K
I --> K
J --> K
C -->|"All valid"| L["Update profile in database"]
L --> M["Send success confirmation"]
N["User sends count in counting channel"] --> O{"Count equals 500?"}
O -->|"Yes"| P["Add +3 saves to counter"]
P --> Q["Send reward notification"]
Q --> R["React with crown emoji"]
O -->|"No"| S["Continue normal counting flow"]
style C fill:#e1f5ff
style L fill:#d4edda
style P fill:#fff3cd
🎯 Key Changes:
📊 Impact Assessment:
⚙️ SettingsSeverity Threshold: 📖 User Guide
|
|
Important Review skipped Bot user detected. To trigger a single review, invoke the ⚙️ SettingsSeverity Threshold: 📖 User Guide
|
Co-authored-by: beetle-ai[bot] <221859081+beetle-ai[bot]@users.noreply.github.com>
Summary by BeetleThis PR introduces several enhancements to the Panda Bot Discord bot, focusing on improved input validation, user experience refinements, and feature adjustments. The changes include robust validation for the profile editing system with switch-guard pattern implementation, a reward mechanism for the counting game at milestone 500, and improved URL validation patterns. Additionally, the PR includes documentation updates and code formatting improvements to the snowflake decoder command. 📁 File Changes Summary (Consolidated across all commits):
Total Changes: 5 files changed, +112 additions, -37 deletions 🗺️ Walkthrough:graph TD
A["User invokes /edit-profile command"] --> B["Collect input options"]
B --> C{"Switch Guard Validation"}
C -->|"Bio invalid"| D["Error: Bio 2-200 chars"]
C -->|"Country invalid"| E["Error: Country 2-100 chars"]
C -->|"Age invalid"| F["Error: Age 1-1000"]
C -->|"Stack invalid"| G["Error: Stack 2-200 chars"]
C -->|"Hobbies invalid"| H["Error: Hobbies 2-200 chars"]
C -->|"GitHub invalid"| I["Error: Invalid GitHub URL"]
C -->|"Portfolio invalid"| J["Error: Invalid Portfolio URL"]
D --> K["Return ephemeral error"]
E --> K
F --> K
G --> K
H --> K
I --> K
J --> K
C -->|"All valid"| L["Update profile fields"]
L --> M["Save to database"]
M --> N["Success response"]
O["Counting Game: User posts 500"] --> P["Add +3 saves"]
P --> Q["Send celebration message"]
Q --> R["React with crown emoji"]
🎯 Key Changes:
📊 Impact Assessment:
⚙️ SettingsSeverity Threshold: 📖 User Guide
|
| case portfolio !== null && | ||
| !/^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/.test( |
There was a problem hiding this comment.
The portfolio URL validation regex !/^https?:\/\/[^\s]+$/ is extremely permissive and allows dangerous URLs. It only checks for http:// or https:// followed by any non-whitespace characters, which means it accepts:
javascript:URLs (XSS vector if rendered in web contexts)- URLs with special characters that could break rendering
- Malformed URLs like
http://(just the protocol) - URLs with no domain validation whatsoever
This is a security vulnerability if these portfolio URLs are ever displayed in a web interface, embedded in iframes, or used in any context where URL validation matters.
Confidence: 5/5
Suggested Fix
| case portfolio !== null && | |
| !/^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/.test( | |
| case portfolio !== null && !/^https?:\/\/([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?$/.test(portfolio): | |
| error = "Portfolio link must be a valid URL with a proper domain."; | |
Replace the overly permissive regex with one that validates:
- Protocol (http/https)
- Valid domain structure (subdomain.domain.tld)
- At least a 2-character TLD
- Optional path components
This prevents malformed URLs and potential XSS vectors while still allowing legitimate portfolio URLs.
Prompt for AI
Copy this prompt to your AI IDE to fix this issue locally:
In src/commands/misc/edit-profile.js at line 44, the portfolio URL validation
regex is dangerously permissive and only checks for http/https followed by any
non-whitespace, which allows malformed URLs and potential XSS vectors; replace
the regex pattern with /^https?:\/\/([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?$/
to properly validate domain structure and prevent security issues, and update
the error message on line 45 to "Portfolio link must be a valid URL with a
proper domain."
📍 This suggestion applies to lines 44-45
/edit-profilecommand