Clippy goes rogue: how to f**k up a discord bot

Webhooks

• Just a POST or GET request over HTTP
• Instead of returning content, the server runs some code that does something else, say for example, sending a notification on discord.
• Can be triggered via curl

1
2
3

curl -X POST "https://discord.com/api/webhooks/1204013547458400266/mWtRzXZEZP2EWHrXLhQy1eFre8KeOV-vcsKGx5fAYrVzRA46AsXoPBUGzwTUOOlCbnjG" \
-H "Content-Type: application/json" \
-d '{"content": "Woof"}'

DEMO TIME

Serverless

• On the edge in the cloud.
• Cheap and scalable.
• Stateless and low-compute applications.
• A bit like a takeaway vs a restaurant or pub where you have a tab.

Cloudflare

• Our favorite cloud provider because they are are easy to use, secure and free at our scale.

DEMO TIME

Cron

1
2

# Run a cron job at 18:30 on day-of-month 5 and on Monday in February that creates a empty file at /tmp/auto-file-cron
30 18 5 2 1 touch /tmp/auto-file-cron

• Started out in the original Unix that allowed scheduling of jobs.
• A common business case is to auto-running backups.
• Also now the industry-standard way of auto-running that needs to be scheduled everything.
• All the cloud providers have a cron system that you can use, including Cloudflare.
• So you can schedule a serverless worker to be triggered.

Cloudflare Worker

• Cloudflare’s serverless cloud function
• You can use different ways of triggering one of these cron jobs or an HTTP GET request.
• Triggering the webhook would always send notifications because we were not checking anything, just always firing the Discord webhook.
• We added a header to mitigate this.

DNS Propagation

• The worker sits on a subdomain.
• Propagates across DNS servers.
• Different orgs have crawlers that scan a new domain; they may make multiple requests to get things such as the favicon, robots.txt, or sitemap.