teloxide/CHANGELOG.md
Maybe Waffle daec5ee13e Hide bot token in errors
This fixes a potential[^1] security vulnerability -- if bot shows errors
from teloxide to the user & for some reason network error happened[^2]
the url of the request would be included in the error. Since TBA
includes bot token in the error this may lead to token leakage.

This commit fixes that issue by removing the token from the urls of
`reqwest::Error`, we try to only replace the token, but if we fail we
remove the whole url.

This can be tested by using a very low timeout value for the http
reqwest client:
```rust
let client = reqwest::Client::builder()
    .timeout(std::time::Duration::from_millis(1))
    .build()
    .unwrap();

let bot = Bot::from_env_with_client(client).auto_send();

// see if the token is redacted when network error (timeout) happens
// while sending common requests
let _ = dbg!(bot.get_me().await);

// see if the token is redacted when network error (timeout) happens
// while downloading files ("path" is unimportant as the timeout is so
// low the request probably won't even be sent)
let _ = dbg!(bot.download_file_stream("path").next().await);
```

For me this gives the following result:
```text
[t.rs:26] bot.get_me().await = Err(
    Network(
        reqwest::Error {
            kind: Request,
            url: Url {
                scheme: "https",
                cannot_be_a_base: false,
                username: "",
                password: None,
                host: Some(
                    Domain(
                        "api.telegram.org",
                    ),
                ),
                port: None,
                path: "/token:redacted/GetMe",
                query: None,
                fragment: None,
            },
            source: TimedOut,
        },
    ),
)
[t.rs:31] bot.download_file_stream("path").next().await = Some(
    Err(
        reqwest::Error {
            kind: Request,
            url: Url {
                scheme: "https",
                cannot_be_a_base: false,
                username: "",
                password: None,
                host: Some(
                    Domain(
                        "api.telegram.org",
                    ),
                ),
                port: None,
                path: "/file/token:redacted/path",
                query: None,
                fragment: None,
            },
            source: TimedOut,
        },
    ),
)
```

Note that this commits parent is `d0be260` and not the current master
the master branch currently contains breaking changes (we'll need to
make a release from this brach directly).

[^1]: Note that there are recorded cases where the token got exposed.
[^2]: Note that this can be theoretically be controlled by the user when
      sending/downloading bigger files.
2022-04-03 13:34:17 +04:00

19 KiB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

unreleased

0.4.5 - 2022-04-03

Fixed

  • Hide bot token in errors (#200)

0.4.4 - 2022-04-21

Added

  • WrongFileIdOrUrl and FailedToGetUrlContent errors (#188)
  • NotFound error (#190)
  • HasPayload::with_payload_mut function (#189)

0.4.3 - 2022-03-08

Added

  • User::is_telegram function (#186)

Fixed

  • Update::chat() now returns Some(&Chat) for UpdateKind::ChatMember, UpdateKind::MyChatMember, UpdateKind::ChatJoinRequest (#184)
  • get_updates timeouts (partially revert buggy #180) (#185)

0.4.2 - 2022-02-17 [yanked]

Deprecated

  • Message::chat_id use .chat.id field instead (#182)

Fixed

  • Serialization of SendPoll::type_ (it's now possible to send quiz polls) (#181)

Added

  • Payload::timeout_hint method to properly handle long running requests like GetUpdates (#180)

0.4.1 - 2022-02-13

Fixed

  • Deserialization of UntilDate (#178)

0.4.0 - 2022-02-03

Added

  • ApiError::TooMuchInlineQueryResults (#135)
  • ApiError::NotEnoughRightsToChangeChatPermissions (#155)
  • Support for 5.4 telegram bot API (#133)
  • Support for 5.5 telegram bot API (#143, #164)
  • Support for 5.6 telegram bot API (#162)
  • Support for 5.7 telegram bot API (#175)
  • EditedMessageIsTooLong error (#109)
  • UntilDate enum and use it for {Restricted, Banned}::until_date (#117)
  • Limits::messages_per_min_channel (#121)
  • media_group_id field to MediaDocument and MediaAudio (#139)
  • caption_entities method to InputMediaPhoto (#140)
  • User::is_anonymous and User::is_channel functions (#151)
  • UpdateKind::Error (#156)

Changed

  • Refactor InputFile (#167)
    • Make it an opaque structure, instead of enum
    • Add read constructor, that allows creating InputFile from impl AsyncRead
    • Internal changes
  • Refactor errors (#134)
    • Rename DownloadError::NetworkError to Network
    • Rename RequestError::ApiError to Api
    • Remove RequestError::Api::status_code and rename RequestError::Api::kind to 0 (struct to tuple struct)
    • Rename RequestError::NetworkError to Network
    • Implement Error for ApiError
  • Use url::Url for urls, use chrono::DateTime<Utc> for dates in types (#115)
  • Mark ApiError as non_exhaustive (#125)
  • InputFile and related structures now do not implement PartialEq, Eq and Hash (#133)
  • How forwarded messages are represented (#151)
  • RequestError::InvalidJson now has a raw field with raw json for easier debugability (#150)
  • ChatPermissions is now bitflags (#157)
  • Type of WebhookInfo::ip_address from Option<String> to Option<std::net::IpAddr> (#172)
  • Type of WebhookInfo::allowed_updates from Option<Vec<String>> to Option<Vec<AllowedUpdate>> (#174)

Fixed

  • Deserialization of chat migrations, see issue #427 (#143)
  • Type of BanChatMember::until_date: u64 -> chrono::DateTime<Utc> (#117)
  • Type of Poll::correct_option_id: i32 -> u8 (#119)
  • Type of Poll::open_period: i32 -> u16 (#119)
  • Throttle adaptor not honouring chat/min limits (#121)
  • Make SendPoll::type_ optional (#133)
  • Bug with caption_entities, see issue #473
  • Type of response for CopyMessage method (#141, #142)
  • Bad request serialization when the language field of MessageEntityKind::Pre is None (#145)
  • Deserialization of MediaKind::Venue (#147)
  • Deserialization of VoiceChat{Started,Ended} messages (#153)
  • Serialization of BotCommandScope::Chat{,Administrators} (#154)

Removed

  • get_updates_fault_tolerant method and SemiparsedVec (#156)

0.3.3 - 2021-08-03

Fixed

  • Compilation with nightly feature (use type_alias_impl_trait instead of min_type_alias_impl_trait) (#108)

0.3.2 - 2021-07-27

Added

  • ErasedRequester bot adaptor, ErasedRequest struct, {Request, RequesterExt}::erase functions (#105)
  • Trace bot adaptor (#104)
  • HasPayload, Request and Requester implementations for either::Either (#103)

0.3.1 - 2021-07-07

  • Minor documentation tweaks (#102)
  • Remove Self: 'static bound on RequesterExt::throttle (#102)

0.3.0 - 2021-07-05

Added

  • impl Clone for {CacheMe, DefaultParseMode, Throttle} (#76)
  • DefaultParseMode::parse_mode which allows to get currently used default parse mode (#77)
  • Thrrotle::{limits,set_limits} functions (#77)
  • Throttle::{with_settings,spawn_with_settings} and throttle::Settings (#96)
  • Getters for fields nested in Chat (#80)
  • API errors: ApiError::NotEnoughRightsToManagePins, ApiError::BotKickedFromSupergroup (#84)
  • Telegram bot API 5.2 support (#86)
  • Telegram bot API 5.3 support (#99)
  • net::default_reqwest_settings function (#90)

Changed

  • Message::url now returns links to messages in private groups too (#80)
  • Refactor ChatMember methods (#74)
    • impl Deref<Target = ChatMemberKind> to make ChatMemberKind's methods callable directly on ChatMember
    • Add ChatMemberKind::is_{creator,administrator,member,restricted,left,kicked} which check kind along with is_privileged and is_in_chat which combine some of the above.
    • Refactor privilege getters
  • Rename ChatAction::{RecordAudio => RecordVoice, UploadAudio => UploadVoice} (#86)
  • Use url::Url for urls, use chrono::DateTime<Utc> for dates (#97)

Fixed

  • telegram_response: fix issue retry_after and migrate_to_chat_id handling (#94)
  • Type of PublicChatSupergroup::slow_mode_delay field: Option<i32>=> Option<u32> (#80)
  • Add missing Chat::message_auto_delete_time field (#80)
  • Output types of LeaveChat PinChatMessage, SetChatDescription, SetChatPhoto SetChatTitle, UnpinAllChatMessages and UnpinChatMessage: String => True (#79)
  • SendChatAction output type Message => True (#75)
  • GetChatAdministrators output type ChatMember => Vec<ChatMember> (#73)
  • reqwest dependency bringing native-tls in even when rustls was selected (#71)
  • Type of {Restricted,Kicked}::until_date fields: i32 => i64 (#74)
  • Type of PhotoSize::{width,height} fields: i32 => u32 (#100)

0.2.2 - 2020-03-22

Fixed

  • Typo: ReplyMarkup::{keyboad => keyboard} (#69)
    • Note: method with the old name was deprecated and hidden from docs

0.2.1 - 2020-03-19

Fixed

  • Types fields privacy (make fields of some types public) (#68)
    • Dice::{emoji, value}
    • MessageMessageAutoDeleteTimerChanged::message_auto_delete_timer_changed
    • PassportElementError::{message, kind}
    • StickerSet::thumb

0.2.0 - 2020-03-16

Changed

  • Refactor ReplyMarkup (#pr65) (BC)
    • Rename ReplyMarkup::{InlineKeyboardMarkup => InlineKeyboard, ReplyKeyboardMarkup => Keyboard, ReplyKeyboardRemove => KeyboardRemove}
    • Add inline_kb, keyboad, kb_remove and force_reply ReplyMarkup consructors
    • Rename ReplyKeyboardMarkup => KeyboardMarkup
    • Rename ReplyKeyboardRemove => KeyboardRemove
    • Remove useless generic param from ReplyKeyboardMarkup::new and InlineKeyboardMarkup::new
    • Change parameters order in ReplyKeyboardMarkup::append_to_row and InlineKeyboardMarkup::append_to_row
  • Support telegram bot API version 5.1 (see it's changelog) (#pr63) (BC)
  • Support telegram bot API version 5.0 (see it's changelog) (#pr62) (BC)

Added

  • GetUpdatesFaultTolerant - fault toletant version of GetUpdates (#58) (BC)
  • Derive Clone for AutoSend.

Fixed

  • Make MediaContact::contact public (#pr64)
  • set_webhook signature (make allowed_updates optional) (#59)
  • Fix typos in payloads (#57):
    • get_updates: offset i64 -> i32
    • send_location: make live_period optional
  • send_contact signature (phone_number and first_name f64 => String) (#56)

Removed

  • Message::text_owned (#pr62) (BC)

Changed

  • NonStrictVec -> SemiparsedVec.

0.1.1 - 2020-02-17

Fixed

  • Remove dbg! call from internals (#53)

0.1.0 - 2020-02-17

Added

  • #[non_exhaustive] on InputFile since we may want to add new ways to send files in the future (#49)
  • MultipartPayload for future proofing (#49)
  • Support for rustls (#24)
  • #[must_use] attr to payloads implemented by macro (#22)
  • forward-to-deref Requester impls (#39)
  • Bot::{set_,}api_url methods (#26, #35)
  • payloads module
  • RequesterExt trait which is implemented for all Requesters and allows easily wrapping them in adaptors
  • adaptors module (#14)
    • throttle, cache_me, auto_send and full crate features
    • Request throttling - opt-in feature represented by Throttle bot adapter which allows automatically checking telegram limits (#10, #46, #50)
    • Request auto sending - ability to .await requests without need to call .send() (opt-in feature represented by AutoSend bot adapter, #8)
    • get_me caching (opt-in feature represented by CacheMe bot adapter)
  • Requester trait which represents bot-clients (#7, #12, #27)
  • {Json,Multipart}Request the Bot requests types (#6)
  • Output<T> alias to <<T as HasPayload>::Payload as Payload>::Output
  • Payload, HasPayload and Request traits which represent different parts of the request (#5)
  • GetUpdatesNonStrict 'telegram' method, that behaves just like GetUpdates but doesn't #2 fail if one of updates fails to be deserialized
  • Move core code here from the teloxide main repo, for older changes see it's CHANGELOG.md.
    • Following modules were moved:
      • bot
      • requests [except requests::respond function]
      • types
      • errors
      • net [private]
    • client_from_env was moved from teloxide::utils to crate root of teloxide-core
    • To simplify GetUpdates request it was changed to simply return Vec<Update> (instead of Vec<Result<Update, (Value, serde_json::Error)>>)

Changed

  • Cleanup setters in types::* (remove most of them) (#44)
  • Refactor KeyboardButtonPollType (#44)
  • Replace Into<Vec<_>> by IntoIterator<Item = _> in function arguments (#44)
  • Update dependencies (including tokio 1.0) (#37)
  • Refactor file downloading (#30):
    • Make net module public
    • Move Bot::download_file{,_stream} methods to a new Download trait
      • Impl Download for all bot adaptors & the Bot itself
    • Change return type of download_file_stream — return Stream<Result<Bytes>>``, instead of Future<Result<Stream<Result>>>``
    • Add api_url param to standalone versions of download_file{,_stream}
    • Make net::{TELEGRAM_API_URL, download_file{,_stream}} pub
  • Refactor Bot (#29):
    • Move default parse mode to an adaptor (DefaultParseMode)
    • Remove bot builder (it's not usefull anymore, since parse_mode is moved away)
    • Undeprecate bot constructors (Bot::{new, with_client, from_env_with_client})
  • Rename StickerType => InputSticker, {CreateNewStickerSet,AddStickerToSet}::sticker_type} => sticker (#23, #43)
  • Use _: IntoIterator<Item = T> bound instead of _: Into<Vec<T>> in telegram methods which accept collections (#21)
  • Make MessageDice::dice pub (#20)
  • Merge ApiErrorKind and KnownApiErrorKind into ApiError (#13)
  • Refactor ChatMember (#9)
    • Replace a bunch of Option<_> fields with ChatMemberKind
    • Remove setters (users are not expected to create this struct)
    • Add getters
  • Changed internal mechanism of sending multipart requests (#1)
  • Added RequestError::Io(io::Error) to wrap I/O error those can happen while sending files to telegram
  • Make all fields of all methods pub (#3)

Removed

  • unstable-stream feature (now Bot::download_file_stream is accesable by default)
  • old Request trait
  • RequestWithFile, now multipart requests use Request
  • Remove all #[non_exhaustive] annotations (#4)
  • Remove MessageEntity::text_from because it's wrong (#44)