forked from nathanabay/bespo_notifications
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfix_phase2.py
More file actions
122 lines (94 loc) · 3.59 KB
/
fix_phase2.py
File metadata and controls
122 lines (94 loc) · 3.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/env python3
"""Apply Phase 2 High Priority Fixes"""
with open('bespo_notifications/bespo_notifications/bot/commands.py', 'r') as f:
content = f.read()
# Fix 2.1: Add validate_doc_id function after imports
old_imports = '''from .helpers import validate_user_status, get_or_register_user, format_file_size, truncate'''
new_imports = '''from .helpers import validate_user_status, get_or_register_user, format_file_size, truncate
def validate_doc_id(doc_id: str) -> bool:
"""
Validate document ID format to prevent injection attacks.
Valid formats:
- ABC-123
- ABC_123
- ABC123
Invalid:
- <script> tags
- SQL keywords
- Path traversal
"""
if not doc_id:
return False
# Allow alphanumeric with hyphens and underscores
if not all(c.isalnum() or c in '-_' for c in doc_id):
return False
# Reasonable length limit
if len(doc_id) > 100:
return False
return True'''
content = content.replace(old_imports, new_imports)
# Fix 2.1a: Add validation to cmd_status after "if not doc_id_prefix"
old_status = ''' if not doc_id_prefix:
await update.message.reply_text(
"Usage: /status `<document_id>`", parse_mode="Markdown"
)
return
doc_svc = DocumentService()'''
new_status = ''' if not doc_id_prefix:
await update.message.reply_text(
"Usage: /status `<document_id>`", parse_mode="Markdown"
)
return
# BUG FIX 2.1: Validate document ID to prevent injection
if not validate_doc_id(doc_id_prefix):
await update.message.reply_text(
"❌ Invalid document ID format. Use only alphanumeric characters, hyphens, and underscores."
)
return
doc_svc = DocumentService()'''
content = content.replace(old_status, new_status)
# Fix 2.1b: Add validation to cmd_history
old_history = ''' if not doc_id_prefix:
await update.message.reply_text(
"Usage: /history <code><document_id></code>", parse_mode="HTML"
)
return
doc_svc = DocumentService()'''
new_history = ''' if not doc_id_prefix:
await update.message.reply_text(
"Usage: /history <code><document_id></code>", parse_mode="HTML"
)
return
# BUG FIX 2.1: Validate document ID to prevent injection
if not validate_doc_id(doc_id_prefix):
await update.message.reply_text(
"❌ Invalid document ID format. Use only alphanumeric characters, hyphens, and underscores."
)
return
doc_svc = DocumentService()'''
content = content.replace(old_history, new_history)
# Fix 2.1c: Add validation to cmd_cancel_doc
old_cancel = ''' if len(parts) < 2:
await update.message.reply_text(
"Usage: /cancel <code><document_id></code>", parse_mode="HTML"
)
return
doc_id = parts[1]
doc_svc = DocumentService()'''
new_cancel = ''' if len(parts) < 2:
await update.message.reply_text(
"Usage: /cancel <code><document_id></code>", parse_mode="HTML"
)
return
doc_id = parts[1]
# BUG FIX 2.1: Validate document ID to prevent injection
if not validate_doc_id(doc_id):
await update.message.reply_text(
"❌ Invalid document ID format. Use only alphanumeric characters, hyphens, and underscores."
)
return
doc_svc = DocumentService()'''
content = content.replace(old_cancel, new_cancel)
with open('bespo_notifications/bespo_notifications/bot/commands.py', 'w') as f:
f.write(content)
print("Phase 2 Fix 2.1 applied to commands.py")