Fix bugs and security issues (backward compatible)#9
Open
Adriapp wants to merge 1 commit into
Open
Conversation
- VariablesMaker: fix call to undefined method parsePassport() -> parsePassportData() - BotAPI: fix wrong exception namespace (neneone\neneone -> neneone\SnapeBot) - BotAPI: fix getMe method definition (was a copy of sendMessage params) - DatabaseManager/SnapeBot: whitelist table name and setPage field to prevent SQL injection on identifiers - SnapeBot: use a random IV for callback data encryption (decrypt stays backward compatible with the old fixed-IV format) and warn when default encryption key/iv are used - DatabaseManager: set PDO charset=utf8mb4 and ERRMODE_EXCEPTION - SnapeBot: initialize $builtSettings, fix namespace case in BotAPI instantiation - composer.json: align license with LICENSE file (GPL-3.0-or-later), minimum-stability stable Co-Authored-By: WOZCODE <contact@withwoz.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR collects a set of backward-compatible bug fixes and security hardenings for the framework. Existing bots keep working without any change to their code or configuration.
🔴 Functional bugs (cause fatal errors)
VariablesMaker::parseMessagecalledparsePassport(), but the method is namedparsePassportData(). Any message containing Telegram Passport data triggered a fatal "Call to undefined method". Fixed the call.BotAPI::__callthrew\neneone\neneone\Exception(a non-existent namespace), so calling an unknown API method produced a "class not found" fatal error instead of the intended exception. Fixed to\neneone\SnapeBot\Exception.BotAPIgetMeentry in the methods list was a copy ofsendMessage's parameters (chat_id/textas required), generating PHP warnings on every startup. Set to[].🟠 Security
setPage()$fieldargument were concatenated directly into queries (PDO can't bind identifiers). Added a[A-Za-z0-9_]whitelist that throws on invalid values. Values (userID, name, …) were already bound — only identifiers were affected.specialEncrypt()now uses a random IV per encryption (prepended to the ciphertext) instead of a fixed, deterministic IV.specialDecrypt()is fully backward compatible: data produced by older versions (fixed-IV format) is still decrypted correctly, so buttons already in the wild keep working.E_USER_WARNING) whencbDataEncryptionis enabled while the default key/iv (publicly known from the repo) are still in use.charset=utf8mb4(fixes emoji in names) andERRMODE_EXCEPTIONso DB errors surface instead of failing silently on PHP 7.🟡 Minor / consistency
SnapeBot::buildSettingsnow initializes$builtSettings(avoids a notice with an empty scheme).BotAPIinstantiation (snapeBot→SnapeBot).composer.json: license aligned with the actualLICENSEfile (GPL-3.0-or-laterinstead ofAGPL-3.0-only);minimum-stabilityset tostable.Notes — intentionally left untouched (to discuss)
These were spotted but not changed to avoid altering runtime behavior; happy to address them if you prefer:
firstRundefaults totrue, soCREATE TABLE IF NOT EXISTSruns on every webhook call (performance only).!isset($this->settings['botUsername'])is always false afterbuildSettings. Making it actually fire would add a mandatorygetMenetwork call, which could break offline/testing setups.msg/usernameare not HTML-escaped (unlikefirstName/title). It's the developer's responsibility, and escaping here could cause double-escaping.All five changed PHP files pass
php -l, andcomposer.jsonis valid JSON. Marked as draft for review before merging.