Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bot blows up on new_chat_member update #8

Open
simbabque opened this issue Mar 21, 2023 · 1 comment
Open

Bot blows up on new_chat_member update #8

simbabque opened this issue Mar 21, 2023 · 1 comment

Comments

@simbabque
Copy link

When a bot gets added to a group that already exists it receives a new_chat_member update of the type https://core.telegram.org/bots/api#chatmemberupdated. This is not supported in Telegram::Bot::Brain::_process_message so we blow up.

It's also not possible to opt out of it by supplying a custom list of updates we would like to receive, which would be a valid workaround using allowed_updates from https://core.telegram.org/bots/api#getupdates.

Are you open to receiving PRs for either of these, or both?
@jkg
Copy link

jkg commented Apr 10, 2023

This same issue occurs when a user hits "Delete & Stop" in their direct message with the bot, the update to let the bot know it has been "kicked" from the one-to-one chat tickles the exact same issue.

Since the bot can no longer process any messages at all until that update is queued from the API, this means the bot has a trivial denial of service vulnerability - any user can open and then delete a DM with it, and the bot will die until the API update queue can be cleared.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simbabque @jkg