ultanio/cobot
4
1
Fork 4
Code Issues 84 Pull requests 10 Projects Releases Packages Wiki Activity Actions

Security fixes: CB-014, CB-015, CB-016 #67

Merged
k9ert merged 1 commit from noopsec/cobot:security/fix-cb014-cb015-cb016 into main 2026-02-22 19:49:48 +00:00
Conversation 1 Commits 1 Files changed 4 +58 -17
noopsec commented 2026-02-22 11:49:47 +00:00
Contributor
Copy link

Security Fixes from Audit

⚠️ TESTING PENDING - Do not merge until tested

CB-016 [MEDIUM] - Telegram Auto-Adds Unknown Groups (CWE-862)

  • Issue: #25
  • Fix: Remove auto-add behavior for unknown groups; log and ignore instead
  • Impact: Attackers can no longer add bot to arbitrary groups for access

CB-015 [MEDIUM] - Error Messages Leak Internal State (CWE-209)

  • Issue: #24
  • Fix: Replace f"Error: {e}" with generic error messages + correlation IDs
  • Impact: Prevents information disclosure via error messages

CB-014 [MEDIUM] - Unbounded Event Deduplication Set (CWE-400)

  • Issue: #23
  • Fix: Replace unordered set with OrderedDict + TTL-based expiry (1h)
  • Impact: Prevents replay attacks from unordered trimming

Testing Checklist

  • CB-016: Verhalten wenn Config keine Gruppen hat
  • CB-014: TTL-Expiry über 1h prüfen, Memory-Growth unter Last
  • CB-015: Correlation ID erscheint korrekt in Logs

Fixes #25, #24, #23

## Security Fixes from Audit ⚠️ **TESTING PENDING** - Do not merge until tested ### CB-016 [MEDIUM] - Telegram Auto-Adds Unknown Groups (CWE-862) - **Issue:** #25 - **Fix:** Remove auto-add behavior for unknown groups; log and ignore instead - **Impact:** Attackers can no longer add bot to arbitrary groups for access ### CB-015 [MEDIUM] - Error Messages Leak Internal State (CWE-209) - **Issue:** #24 - **Fix:** Replace `f"Error: {e}"` with generic error messages + correlation IDs - **Impact:** Prevents information disclosure via error messages ### CB-014 [MEDIUM] - Unbounded Event Deduplication Set (CWE-400) - **Issue:** #23 - **Fix:** Replace unordered set with OrderedDict + TTL-based expiry (1h) - **Impact:** Prevents replay attacks from unordered trimming ### Testing Checklist - [ ] CB-016: Verhalten wenn Config keine Gruppen hat - [ ] CB-014: TTL-Expiry über 1h prüfen, Memory-Growth unter Last - [ ] CB-015: Correlation ID erscheint korrekt in Logs Fixes #25, #24, #23
[WIP] security: fix CB-014, CB-015, CB-016 from security audit
Some checks failed
CI / test (3.11) (pull_request) Failing after 15s
Details
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.12) (pull_request) Failing after 16s
Details
CI / test (3.13) (pull_request) Failing after 17s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
6f61cfb380 
⚠️ TESTING PENDING - Do not merge until tested

CB-016 [MEDIUM]: Telegram Auto-Adds Unknown Groups (CWE-862)
- Remove auto-add behavior for unknown groups
- Log and ignore messages from unconfigured groups
- Attackers can no longer add bot to arbitrary groups for access

CB-015 [MEDIUM]: Error Messages Leak Internal State (CWE-209)
- Replace f"Error: {e}" with generic error messages
- Add correlation IDs for internal log tracing
- Prevents information disclosure via error messages

CB-014 [MEDIUM]: Unbounded Event Deduplication Set (CWE-400)
- Replace unordered set with OrderedDict for deterministic trimming
- Add TTL-based expiry (1 hour) for processed events
- Prevents replay attacks from unordered trimming

Fixes #25, #24, #23
noopsec requested review from k9ert 2026-02-22 12:06:53 +00:00
k9ert force-pushed security/fix-cb014-cb015-cb016 from 6f61cfb380
Some checks failed
CI / test (3.11) (pull_request) Failing after 15s
Details
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.12) (pull_request) Failing after 16s
Details
CI / test (3.13) (pull_request) Failing after 17s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
to 5c9e9d9ab6
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 17s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 19s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
2026-02-22 15:34:46 +00:00 Compare
doxios requested changes 2026-02-22 15:44:12 +00:00
doxios left a comment
Collaborator
Copy link

Review: Security Fixes CB-014, CB-015, CB-016

The security fixes look solid! 👍

CB-014 (Unbounded dedup set)

  • OrderedDict with TTL gives deterministic trimming
  • 1h expiry prevents unbounded growth
  • Cleans oldest first when over 1000 entries

CB-015 (Error message leaks)

  • Generic message with correlation ID: Reference: {error_id}
  • Detailed error logged internally for debugging

CB-016 (Telegram auto-add groups)

  • Unknown groups now logged and ignored, not auto-added
  • Clear log message explaining how to enable

Minor issues to address:

  1. Logging style: Uses print(..., file=sys.stderr) instead of self.log_warn()/self.log_error(). We recently standardized on centralized logging (PR #79). Please use:

    • self.log_warn(...) for the telegram warning
    • self.log_error(...) for the loop error

  2. Import placement: import uuid inside the function should be at module level.

Once these are fixed, happy to approve! 🦊

## Review: Security Fixes CB-014, CB-015, CB-016 The security fixes look solid! 👍 ### CB-014 (Unbounded dedup set) ✅ - `OrderedDict` with TTL gives deterministic trimming - 1h expiry prevents unbounded growth - Cleans oldest first when over 1000 entries ### CB-015 (Error message leaks) ✅ - Generic message with correlation ID: `Reference: {error_id}` - Detailed error logged internally for debugging ### CB-016 (Telegram auto-add groups) ✅ - Unknown groups now logged and ignored, not auto-added - Clear log message explaining how to enable ### Minor issues to address: 1. **Logging style**: Uses `print(..., file=sys.stderr)` instead of `self.log_warn()`/`self.log_error()`. We recently standardized on centralized logging (PR #79). Please use: - `self.log_warn(...)` for the telegram warning - `self.log_error(...)` for the loop error 2. **Import placement**: `import uuid` inside the function should be at module level. Once these are fixed, happy to approve! 🦊
noopsec requested review from doxios 2026-02-22 16:27:31 +00:00
noopsec force-pushed security/fix-cb014-cb015-cb016 from 5c9e9d9ab6
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 17s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 19s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
to c23e06757c
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 17s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 9s
Details
2026-02-22 18:28:06 +00:00 Compare
k9ert force-pushed security/fix-cb014-cb015-cb016 from c23e06757c
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 17s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 9s
Details
to 09773e62d4
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 18s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 13s
Details
2026-02-22 18:30:40 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 09773e62d4
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 18s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 13s
Details
to 5b2ac2d78d
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 19s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 9s
Details
2026-02-22 18:33:51 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 5b2ac2d78d
Some checks failed
CI / lint (pull_request) Failing after 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 19s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 9s
Details
to 42194d5f29
Some checks failed
CI / lint (pull_request) Successful in 10s
Details
CI / test (3.11) (pull_request) Failing after 18s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
2026-02-22 19:23:52 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 42194d5f29
Some checks failed
CI / lint (pull_request) Successful in 10s
Details
CI / test (3.11) (pull_request) Failing after 18s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
to 317b7c36ef
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 17s
Details
CI / test (3.12) (pull_request) Failing after 18s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 13s
Details
2026-02-22 19:27:15 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 317b7c36ef
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 17s
Details
CI / test (3.12) (pull_request) Failing after 18s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 13s
Details
to aee981aa7a
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 9s
Details
2026-02-22 19:33:12 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from aee981aa7a
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 19s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 9s
Details
to 874ff114fc
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 18s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 12s
Details
2026-02-22 19:33:47 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 874ff114fc
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 18s
Details
CI / test (3.13) (pull_request) Failing after 18s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 12s
Details
to 439046ed20
Some checks failed
CI / lint (pull_request) Successful in 8s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 16s
Details
CI / test (3.13) (pull_request) Failing after 17s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
2026-02-22 19:40:22 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 439046ed20
Some checks failed
CI / lint (pull_request) Successful in 8s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 16s
Details
CI / test (3.13) (pull_request) Failing after 17s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 8s
Details
to f13108c817
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 17s
Details
CI / test (3.13) (pull_request) Failing after 19s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 12s
Details
2026-02-22 19:43:06 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from f13108c817
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Failing after 16s
Details
CI / test (3.12) (pull_request) Failing after 17s
Details
CI / test (3.13) (pull_request) Failing after 19s
Details
CI / build (pull_request) Has been skipped
Details
E2E Tests / e2e (pull_request) Successful in 12s
Details
to 5273b9a1b2
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Successful in 21s
Details
CI / test (3.12) (pull_request) Successful in 24s
Details
E2E Tests / e2e (pull_request) Successful in 11s
Details
CI / test (3.13) (pull_request) Successful in 23s
Details
CI / build (pull_request) Has been cancelled
Details
2026-02-22 19:47:07 +00:00 Compare
noopsec force-pushed security/fix-cb014-cb015-cb016 from 5273b9a1b2
Some checks failed
CI / lint (pull_request) Successful in 9s
Details
CI / test (3.11) (pull_request) Successful in 21s
Details
CI / test (3.12) (pull_request) Successful in 24s
Details
E2E Tests / e2e (pull_request) Successful in 11s
Details
CI / test (3.13) (pull_request) Successful in 23s
Details
CI / build (pull_request) Has been cancelled
Details
to 8a67bb5eca
All checks were successful
CI / lint (pull_request) Successful in 10s
Details
CI / test (3.11) (pull_request) Successful in 21s
Details
CI / test (3.12) (pull_request) Successful in 22s
Details
CI / test (3.13) (pull_request) Successful in 24s
Details
E2E Tests / e2e (pull_request) Successful in 15s
Details
CI / build (pull_request) Successful in 7s
Details
2026-02-22 19:47:43 +00:00 Compare
noopsec changed title from [WIP] Security fixes: CB-014, CB-015, CB-016 to Security fixes: CB-014, CB-015, CB-016 2026-02-22 19:48:49 +00:00
k9ert merged commit 1b263d9c31 into main 2026-02-22 19:49:48 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
k9ert
doxios
Labels
Clear labels   
Compat/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Competitor

Anything we found interesting at competitory

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Epic

Business requirement — groups related stories

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Story

Implementable unit with AC — results in a PR

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Scope/Core

Changes to core non-plugin code (CLI, config loading, etc.).

  
Scope/Cross-Plugin

Touches multiple existing plugins. Needs extra scrutiny, may require a PRD.

  
Scope/Plugin-System

Changes to plugin infrastructure (base.py, registry.py, interfaces.py, __init__.py, agent.py plugin dispatch). PRD required before merge.

  
Scope/Single-Plugin

Changes contained to one plugin (or adds one new plugin). Standard review.

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Compat/Breaking
Kind/Bug
Kind/Competitor
Kind/Documentation
Kind/Enhancement
Kind/Epic
Kind/Feature
Kind/Security
Kind/Story
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Scope/Core
Scope/Cross-Plugin
Scope/Plugin-System
Scope/Single-Plugin
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ultanio/cobot!67
No description provided.