Skip to content

v0.5.2 — Telegram Allowlist Fix

Choose a tag to compare

View all tags
@qhkm qhkm released this 23 Feb 11:06
· 323 commits to main since this release
v0.5.2
c1a821f

Bug Fixes

  • fix(telegram): dptree type collision silently broke allowlist since v0.5.0 (#109)

    The allow_from allowlist was not being enforced for any users since v0.5.0. Root cause: teloxide's dptree dependency injection uses TypeId as the key — registering two Vec<String> values (allowlist + configured_providers) caused the second to silently overwrite the first. Fixed with newtype wrappers (Allowlist, DefaultModel, ConfiguredProviders).

    Also adds username matching (case-insensitive, @-prefix optional) so usernames like @alice and alice both match entries in the allowlist.

    Reported by @gllgoe in #107.

Security

  • fix(web): block ::ffff:0.0.0.0 SSRF edge case — IPv4-mapped unspecified address was bypassing the SSRF guard
  • fix(sandbox): LandlockRuntime::is_available() now correctly returns false when sandbox-landlock feature is not compiled in
  • fix(telegram): allowlist rejection log no longer leaks full user ID list (shows count only)

Full Changelog

v0.5.1...v0.5.2

What's Changed

  • fix: remove broken interactive prompts from setup.sh by @qhkm in #106
  • feat: Linux sandbox runtimes (Landlock, Firejail, Bubblewrap) + shell allowlist by @qhkm in #104
  • fix(telegram): dptree type collision silently broke allowlist since v0.5.0 by @qhkm in #109

Full Changelog: v0.5.1...v0.5.2

Contributors

gllgoe and qhkm
Assets 11
Loading