mirror of
https://github.com/teloxide/teloxide.git
synced 2024-12-23 06:51:01 +01:00
daec5ee13e
This fixes a potential[^1] security vulnerability -- if bot shows errors from teloxide to the user & for some reason network error happened[^2] the url of the request would be included in the error. Since TBA includes bot token in the error this may lead to token leakage. This commit fixes that issue by removing the token from the urls of `reqwest::Error`, we try to only replace the token, but if we fail we remove the whole url. This can be tested by using a very low timeout value for the http reqwest client: ```rust let client = reqwest::Client::builder() .timeout(std::time::Duration::from_millis(1)) .build() .unwrap(); let bot = Bot::from_env_with_client(client).auto_send(); // see if the token is redacted when network error (timeout) happens // while sending common requests let _ = dbg!(bot.get_me().await); // see if the token is redacted when network error (timeout) happens // while downloading files ("path" is unimportant as the timeout is so // low the request probably won't even be sent) let _ = dbg!(bot.download_file_stream("path").next().await); ``` For me this gives the following result: ```text [t.rs:26] bot.get_me().await = Err( Network( reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some( Domain( "api.telegram.org", ), ), port: None, path: "/token:redacted/GetMe", query: None, fragment: None, }, source: TimedOut, }, ), ) [t.rs:31] bot.download_file_stream("path").next().await = Some( Err( reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some( Domain( "api.telegram.org", ), ), port: None, path: "/file/token:redacted/path", query: None, fragment: None, }, source: TimedOut, }, ), ) ``` Note that this commits parent is `d0be260` and not the current master the master branch currently contains breaking changes (we'll need to make a release from this brach directly). [^1]: Note that there are recorded cases where the token got exposed. [^2]: Note that this can be theoretically be controlled by the user when sending/downloading bigger files.
99 lines
2.5 KiB
TOML
99 lines
2.5 KiB
TOML
[package]
|
|
name = "teloxide-core"
|
|
description = "Core part of the `teloxide` library - telegram bot API client"
|
|
version = "0.4.5"
|
|
edition = "2018"
|
|
|
|
license = "MIT"
|
|
repository = "https://github.com/teloxide/teloxide-core/"
|
|
homepage = "https://github.com/teloxide/teloxide-core/"
|
|
documentation = "https://docs.rs/teloxide-core/"
|
|
readme = "README.md"
|
|
|
|
keywords = ["telegram", "bot", "tba"]
|
|
categories = ["api-bindings", "asynchronous"]
|
|
|
|
exclude = [
|
|
".github/*",
|
|
"netlify.toml",
|
|
]
|
|
|
|
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
|
|
|
[dependencies]
|
|
futures = "0.3.5"
|
|
tokio = { version = "1.8.0", features = ["fs"] }
|
|
tokio-util = "0.6.0"
|
|
pin-project = "1.0.3"
|
|
bytes = "1.0.0"
|
|
reqwest = { version = "0.11.0", features = ["json", "stream", "multipart"], default-features = false }
|
|
url = { version = "2", features = ["serde"] }
|
|
log = "0.4"
|
|
|
|
serde = { version = "1.0.114", features = ["derive"] }
|
|
serde_json = "1.0.55"
|
|
serde_with_macros = "1.4.1"
|
|
uuid = { version = "0.8.1", features = ["v4"] } # for attaching input files
|
|
|
|
derive_more = "0.99.9"
|
|
mime = "0.3.16"
|
|
thiserror = "1.0.20"
|
|
once_cell = "1.5.0"
|
|
takecell = "0.1"
|
|
take_mut = "0.2"
|
|
rc-box = "1.1.1"
|
|
never = "0.1.0"
|
|
chrono = { version = "0.4.19", default-features = false }
|
|
either = "1.6.1"
|
|
bitflags = { version = "1.2" }
|
|
|
|
vecrem = { version = "0.1", optional = true }
|
|
|
|
[dev-dependencies]
|
|
pretty_env_logger = "0.4"
|
|
tokio = { version = "1.8.0", features = ["fs", "macros"] }
|
|
|
|
[features]
|
|
default = ["native-tls"]
|
|
|
|
rustls = ["reqwest/rustls-tls"]
|
|
native-tls = ["reqwest/native-tls"]
|
|
|
|
# Features which require nightly compiler.
|
|
#
|
|
# Currently the only used compiler feature is feature(type_alias_impl_trait)
|
|
# which allow implementing `Future`s without boxing.
|
|
nightly = []
|
|
|
|
# Throttling bot adaptor
|
|
throttle = ["vecrem"]
|
|
|
|
# Trace bot adaptor
|
|
trace_adaptor = []
|
|
|
|
# Erased bot adaptor
|
|
erased = []
|
|
|
|
# CacheMe bot adaptor
|
|
cache_me = []
|
|
|
|
# AutoSend bot adaptor
|
|
auto_send = []
|
|
|
|
# All features except nightly and tls-related
|
|
full = ["throttle", "trace_adaptor", "erased", "cache_me", "auto_send"]
|
|
|
|
[package.metadata.docs.rs]
|
|
features = ["full", "nightly", "tokio/macros", "tokio/rt-multi-thread"]
|
|
rustdoc-args = ["--cfg", "docsrs", "-Znormalize-docs"]
|
|
|
|
# https://github.com/rust-lang/rust/issues/88791
|
|
cargo-args = ["-Zunstable-options", "-Zrustdoc-scrape-examples=examples"]
|
|
|
|
[[example]]
|
|
name = "self_info"
|
|
required-features = ["tokio/macros", "tokio/rt-multi-thread", "auto_send"]
|
|
|
|
[[example]]
|
|
name = "erased"
|
|
required-features = ["tokio/macros", "tokio/rt-multi-thread", "auto_send", "erased"]
|