From 6bc95c50b22ce08eb5109b3e08874cbdf57c241e Mon Sep 17 00:00:00 2001 From: Zabuzard Date: Fri, 7 Oct 2022 12:47:40 +0200 Subject: [PATCH] Fixed bug with format injection --- .../org/togetherjava/tjbot/commands/help/AskCommand.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/application/src/main/java/org/togetherjava/tjbot/commands/help/AskCommand.java b/application/src/main/java/org/togetherjava/tjbot/commands/help/AskCommand.java index 59ce0f3fff..84412437f9 100644 --- a/application/src/main/java/org/togetherjava/tjbot/commands/help/AskCommand.java +++ b/application/src/main/java/org/togetherjava/tjbot/commands/help/AskCommand.java @@ -136,10 +136,11 @@ private RestAction sendInitialMessage(Guild guild, ThreadChannel thread .map(role -> " (%s)".formatted(role.getAsMention())) .orElse(""); - String contentPattern = "%s has a question about '**%s**'%%s and will send the details now." - .formatted(author.getAsMention(), title); - String contentWithoutRole = contentPattern.formatted(""); - String contentWithRole = contentPattern.formatted(roleMentionDescription); + String contentPrefix = + "%s has a question about '**%s**'".formatted(author.getAsMention(), title); + String contentSuffix = " and will send the details now."; + String contentWithoutRole = contentPrefix + contentSuffix; + String contentWithRole = contentPrefix + roleMentionDescription + contentSuffix; // We want to invite all members of a role, but without hard-pinging them. However, // manually inviting them is cumbersome and can hit rate limits.