Summary
Services server crashes in multiple locations when ss.config.services.ratelimit nested config is incomplete.
Affected Code
Multiple locations in server-services/:
start-services.js:189
ss.config.services.ratelimit.sensitive.cmds.includes(msg.cmd)
// CRASH if ss.config.services.ratelimit.sensitive.cmds is undefined
2-9. src/ratelimit.js Lines 37, 41, 52, 56, 70, 71, 84, 85
ss.config.services.ratelimit.sensitive.reset_interval
ss.config.services.ratelimit.sensitive.max_count
ss.config.services.ratelimit.regular.reset_interval
ss.config.services.ratelimit.regular.max_count
// All crash if intermediate properties undefined
Vulnerability
If config file is incomplete, missing nested properties, or corrupted.
Impact
- Services server crash on startup or first message
- Complete denial of service
Proof of Concept
Start server with incomplete config missing services.ratelimit.sensitive.
Recommended Fix
Use optional chaining throughout:
// start-services.js:189
ss.config?.services?.ratelimit?.sensitive?.cmds?.includes(msg.cmd)
// ratelimit.js
ss.config?.services?.ratelimit?.sensitive?.reset_interval || 5 * 60
ss.config?.services?.ratelimit?.sensitive?.max_count || 5
ss.config?.services?.ratelimit?.regular?.reset_interval || 60
ss.config?.services?.ratelimit?.regular?.max_count || 10
References
Summary
Services server crashes in multiple locations when
ss.config.services.ratelimitnested config is incomplete.Affected Code
Multiple locations in
server-services/:start-services.js:1892-9.
src/ratelimit.jsLines 37, 41, 52, 56, 70, 71, 84, 85Vulnerability
If config file is incomplete, missing nested properties, or corrupted.
Impact
Proof of Concept
Start server with incomplete config missing
services.ratelimit.sensitive.Recommended Fix
Use optional chaining throughout:
References