mirror of
https://github.com/A6-9V/MQL5-Google-Onedrive.git
synced 2026-04-11 07:20:56 +00:00
15 lines
1.6 KiB
Markdown
15 lines
1.6 KiB
Markdown
# Sentinel's Journal
|
|
|
|
## 2026-02-07 - Telegram Bot Authorization Bypass
|
|
**Vulnerability:** The Telegram Deployment Bot (`scripts/telegram_deploy_bot.py`) contained a "Fail Open" vulnerability where omitting the `TELEGRAM_ALLOWED_USER_IDS` environment variable resulted in granting access to *all* Telegram users instead of *none*.
|
|
**Learning:** Security controls must default to deny (Fail Closed). Implicitly allowing access when configuration is missing creates silent vulnerabilities that are hard to detect until exploited.
|
|
**Prevention:** Ensure all authorization checks explicitly return `False` or throw an exception if the access control list is empty or undefined. Never default to `True` in security-critical paths.
|
|
|
|
## 2026-02-13 - [Documentation] Cloudflare Nameservers and Domain Unification
|
|
- Updated Cloudflare nameservers to daisy.ns.cloudflare.com and rocco.ns.cloudflare.com.
|
|
- Unified domain name to lengkundee01.org across CNAME and PWA documentation.
|
|
|
|
## 2026-02-18 - [Web Dashboard] Information Leakage via Generic Error Handler
|
|
**Vulnerability:** The web dashboard (`scripts/web_dashboard.py`) contained a generic `except Exception as e:` block that returned `str(e)` directly to the user in a 500 response.
|
|
**Learning:** Returning raw exception messages exposes internal implementation details (paths, libraries, database errors) to attackers, aiding reconnaissance.
|
|
**Prevention:** Always catch exceptions and log the full traceback securely (e.g., to stderr or a log file), but return a generic, sanitized error message (e.g., 'Internal Server Error') to the user.
|