Impact

The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This can result in sending chat messages to one of any of the configured IRC or Discord channels for the instance on enabled chat bots. This lasts until the instance's chat channels are updated in TGS or DreamDaemon is restarted.

TGS chat commands are unaffected, custom or otherwise.

Patches

#1493

Workarounds for Affected Versions

One of:

• Avoid restarting TGS with an active watchdog on an instance with sensitive chat channels until updating to a patched version.
• Update your codebase to a patched DMAPI version, perform a deployment, and have a watchdog restart triggered. Do not make deployments that roll back this change without updating TGS to a patched version.
• Trigger a watchdog restart immediately after each time TGS is restarted with an active watchdog on an instance with sensitive chat channels.
• Disallow your DreamMaker code from sending sensitive messages, deploy the change, and have a watchdog restart triggered. Do not make deployments that roll back this change without updating the DMAPI or TGS to a patched version.
• Remove sensitive message enabled channels from active Chat Bots.
• Disable or delete chat bots with sensitive channels.