Skip to content

Fix bugs and security issues (backward compatible)#9

Open
Adriapp wants to merge 1 commit into
neneone:masterfrom
Adriapp:fix/security-and-bugfixes
Open

Fix bugs and security issues (backward compatible)#9
Adriapp wants to merge 1 commit into
neneone:masterfrom
Adriapp:fix/security-and-bugfixes

Conversation

@Adriapp

@Adriapp Adriapp commented Jun 17, 2026

Copy link
Copy Markdown

This PR collects a set of backward-compatible bug fixes and security hardenings for the framework. Existing bots keep working without any change to their code or configuration.

🔴 Functional bugs (cause fatal errors)

  • VariablesMaker::parseMessage called parsePassport(), but the method is named parsePassportData(). Any message containing Telegram Passport data triggered a fatal "Call to undefined method". Fixed the call.
  • BotAPI::__call threw \neneone\neneone\Exception (a non-existent namespace), so calling an unknown API method produced a "class not found" fatal error instead of the intended exception. Fixed to \neneone\SnapeBot\Exception.
  • BotAPI getMe entry in the methods list was a copy of sendMessage's parameters (chat_id/text as required), generating PHP warnings on every startup. Set to [].

🟠 Security

  • SQL injection on identifiers: the table name and the setPage() $field argument were concatenated directly into queries (PDO can't bind identifiers). Added a [A-Za-z0-9_] whitelist that throws on invalid values. Values (userID, name, …) were already bound — only identifiers were affected.
  • Callback data encryption:
    • specialEncrypt() now uses a random IV per encryption (prepended to the ciphertext) instead of a fixed, deterministic IV. specialDecrypt() is fully backward compatible: data produced by older versions (fixed-IV format) is still decrypted correctly, so buttons already in the wild keep working.
    • Added a warning (E_USER_WARNING) when cbDataEncryption is enabled while the default key/iv (publicly known from the repo) are still in use.
  • PDO connection: added charset=utf8mb4 (fixes emoji in names) and ERRMODE_EXCEPTION so DB errors surface instead of failing silently on PHP 7.

🟡 Minor / consistency

  • SnapeBot::buildSettings now initializes $builtSettings (avoids a notice with an empty scheme).
  • Fixed namespace casing in the BotAPI instantiation (snapeBotSnapeBot).
  • composer.json: license aligned with the actual LICENSE file (GPL-3.0-or-later instead of AGPL-3.0-only); minimum-stability set to stable.

Notes — intentionally left untouched (to discuss)

These were spotted but not changed to avoid altering runtime behavior; happy to address them if you prefer:

  1. firstRun defaults to true, so CREATE TABLE IF NOT EXISTS runs on every webhook call (performance only).
  2. In the constructor, !isset($this->settings['botUsername']) is always false after buildSettings. Making it actually fire would add a mandatory getMe network call, which could break offline/testing setups.
  3. msg / username are not HTML-escaped (unlike firstName/title). It's the developer's responsibility, and escaping here could cause double-escaping.

All five changed PHP files pass php -l, and composer.json is valid JSON. Marked as draft for review before merging.

- VariablesMaker: fix call to undefined method parsePassport() -> parsePassportData()
- BotAPI: fix wrong exception namespace (neneone\neneone -> neneone\SnapeBot)
- BotAPI: fix getMe method definition (was a copy of sendMessage params)
- DatabaseManager/SnapeBot: whitelist table name and setPage field to prevent SQL injection on identifiers
- SnapeBot: use a random IV for callback data encryption (decrypt stays backward compatible with the old fixed-IV format) and warn when default encryption key/iv are used
- DatabaseManager: set PDO charset=utf8mb4 and ERRMODE_EXCEPTION
- SnapeBot: initialize $builtSettings, fix namespace case in BotAPI instantiation
- composer.json: align license with LICENSE file (GPL-3.0-or-later), minimum-stability stable

Co-Authored-By: WOZCODE <contact@withwoz.com>
@Adriapp Adriapp marked this pull request as ready for review June 18, 2026 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant