Skip to content

Use Telegram numeric user IDs for whitelist authorization#34

Merged
krotname merged 1 commit into
masterfrom
codex/fix-hardcoded-username-whitelist-vulnerability
Jun 25, 2026
Merged

Use Telegram numeric user IDs for whitelist authorization#34
krotname merged 1 commit into
masterfrom
codex/fix-hardcoded-username-whitelist-vulnerability

Conversation

@krotname

Copy link
Copy Markdown
Owner

Motivation

  • Prevent authorization bypass caused by trusting mutable, public Telegram username values by switching the access control trust boundary to immutable numeric Telegram user IDs loaded from operator-controlled configuration.
  • Ensure deployments only authorize operator-chosen IDs and explicitly handle missing sender identification to avoid forwarding attacker-controlled messages.

Description

  • Replace username-based whitelist with numeric-ID parsing and validation in src/telegram_resender/whitelist.py by adding parse_user_id, storing user_ids, and making contains accept numeric IDs.
  • Stop using usernames for access control: add id to UserProfile in src/telegram_resender/models.py, populate it in incoming_from_message in src/telegram_resender/app.py, and update ResenderService.handle_text in src/telegram_resender/service.py to deny missing user.id and check membership with the numeric id.
  • Preserve username normalization for display and route filtering only by keeping normalize_username and updating src/telegram_resender/routes.py to accept an optional username parameter for matching.
  • Update CLI and tooling to report user_ids counts (src/telegram_resender/cli.py), add tests asserting IDs are used and usernames are rejected as authorization identifiers, and update docs and whitelist.example.csv to instruct operators to use numeric Telegram user IDs.

Testing

  • Ran targeted tests with PYTEST_ADDOPTS='' pytest -q -o addopts='' tests/unit/test_whitelist.py tests/unit/test_service.py tests/integration/test_bootstrap.py tests/unit/test_cli.py, and the targeted suite passed (16 passed, 1 warning).
  • Attempting a full pytest run in this environment failed only because the container lacks the optional dev dependency pytest-asyncio; async tests require that plugin and should pass when dev dependencies are available in CI or a developer environment.
  • Static checks succeeded with python3 -m mypy src tests and python3 -m ruff check . and formatting checks with python3 -m ruff format --check ..
  • Installing the full dev extras with python3 -m pip install -e '.[dev]' could not be completed here due to blocked network access to package indices, so dependency installation was not verified in this environment.

Codex Task

@krotname krotname merged commit 244a42d into master Jun 25, 2026
9 of 11 checks passed
@krotname krotname deleted the codex/fix-hardcoded-username-whitelist-vulnerability branch June 25, 2026 05:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant