mirror of https://github.com/teloxide/teloxide.git synced 2025-03-14 19:48:50 +01:00

🤖 An elegant Telegram bots framework for Rust https://docs.rs/teloxide

rust telegram telegram-bot-api telegram-bot-framework teloxide

Find a file

Maybe Waffle daec5ee13e Hide bot token in errors This fixes a potential[^1] security vulnerability -- if bot shows errors from teloxide to the user & for some reason network error happened[^2] the url of the request would be included in the error. Since TBA includes bot token in the error this may lead to token leakage. This commit fixes that issue by removing the token from the urls of `reqwest::Error`, we try to only replace the token, but if we fail we remove the whole url. This can be tested by using a very low timeout value for the http reqwest client: ```rust let client = reqwest::Client::builder() .timeout(std::time::Duration::from_millis(1)) .build() .unwrap(); let bot = Bot::from_env_with_client(client).auto_send(); // see if the token is redacted when network error (timeout) happens // while sending common requests let _ = dbg!(bot.get_me().await); // see if the token is redacted when network error (timeout) happens // while downloading files ("path" is unimportant as the timeout is so // low the request probably won't even be sent) let _ = dbg!(bot.download_file_stream("path").next().await); ``` For me this gives the following result: ```text [t.rs:26] bot.get_me().await = Err( Network( reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some( Domain( "api.telegram.org", ), ), port: None, path: "/token:redacted/GetMe", query: None, fragment: None, }, source: TimedOut, }, ), ) [t.rs:31] bot.download_file_stream("path").next().await = Some( Err( reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some( Domain( "api.telegram.org", ), ), port: None, path: "/file/token:redacted/path", query: None, fragment: None, }, source: TimedOut, }, ), ) ``` Note that this commits parent is `d0be260` and not the current master the master branch currently contains breaking changes (we'll need to make a release from this brach directly). [^1]: Note that there are recorded cases where the token got exposed. [^2]: Note that this can be theoretically be controlled by the user when sending/downloading bigger files.		2022-04-03 13:34:17 +04:00
.cargo	Change process of building docs	2022-01-31 18:23:30 +03:00
.github/workflows	Update clippy, rustfmt and toolchain	2022-01-25 02:10:23 +03:00
examples	Add tools for Bot/Request type erasure	2021-07-12 16:58:51 +03:00
media	Add media	2021-01-13 16:10:56 +03:00
src	Hide bot token in errors	2022-04-03 13:34:17 +04:00
.gitignore	Initial commit	2020-08-12 18:04:50 +03:00
Cargo.toml	Hide bot token in errors	2022-04-03 13:34:17 +04:00
CHANGELOG.md	Hide bot token in errors	2022-04-03 13:34:17 +04:00
LICENSE	Update the license year	2022-01-02 02:53:34 +06:00
netlify.toml	Change process of building docs	2022-01-31 18:23:30 +03:00
README.md	Dump version (-> 0.4.0)	2022-02-03 17:48:36 +03:00
rust-toolchain.toml	Update clippy, rustfmt and toolchain	2022-01-25 02:10:23 +03:00
rustfmt.toml	Small enhancements	2021-02-15 16:46:31 +06:00

README.md

teloxide-core

The core part of teloxide providing tools for making requests to the Telegram Bot API with ease. This library is fully asynchronous and built using tokio.

teloxide-core = "0.4"

Compiler support: requires rustc 1.49+.