cyberrapists/cg_api_secure-webshare
SHA256
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V0.1.1 release, close to actual release. Bug & security fixes/improvements.

Browse Source
This commit is contained in:
unknown
2026-05-24 19:29:41 +02:00
parent a7b44af91a
commit b004e15948
38 changed files with 3145 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
agent2_batch3.md Normal file
View File

@@ -0,0 +1,47 @@
# Batch 3 Bot Regression Check
## Cargo Check Result
```
$ cargo check -p cgcx-bot
Finished `dev` profile [unoptimized + debuginfo] target(s) in 2.44s
```
**Result:** PASS. No compilation errors or warnings.
## Password-Related Bot Logic Inspection
### Findings
The bot **does** contain password-related logic, but it is independent of the frontend and does not conflict with the frontend fix.
Key areas observed in `crates/cgcx-bot/src/main.rs`:
1. **UploadOptions struct** (line ~63)
- Contains `password: Option<String>`.
- Default is `None`.
2. **User password input flow** (lines ~823829)
- In `BotState::UploadOptions`, if the user sends plain text (not a command) and no password is set yet, the bot sets `options.password = Some(text.to_string())`.
3. **Options UI** (lines ~13391365)
- Displays whether a password is set: "Password: <b>Set</b>" or "Password: <i>None</i>".
- Provides a "Set Password" callback button.
4. **Password hashing on finalize** (lines ~14211430)
- During `finalize_upload`, the bot hashes the plaintext password with Argon2 and stores the hash via `ctx.pipeline.create_content_entry(..., password_hash, ...)`.
5. **Direct access link generation** (lines ~16071611)
- If a password is set, the bot appends `&sc=<password>` to the generated link and shows it to the user as a "Direct Access Link".
6. **Forward approval password generation** (lines ~18971912)
- In `handle_forward_callback` for the `"approve"` action, the bot generates a random 12-character alphanumeric password (`generate_direct_password`).
- Hashes it with Argon2 and updates the content row via `content_repo.update_password_hash(...)`.
- Builds the link as `/{base_url}/?cxid={id}&sc={password}`.
### Concerns / Observations
- **No conflict with frontend fix:** The bot does not rely on the frontend to validate passwords. It generates links with the `sc` query parameter and stores hashes in the database. Frontend changes (e.g., how `sc` is read or sent) should not break bot compilation or bot-side logic.
- **Potential concern:** If the frontend fix changed the contract for how `sc` is transmitted (e.g., removed query-param support or changed it to a header), the direct-access links generated by the bot would break for end users. However, the task description implies the frontend fix was for the frontends own password handling, not for removing `sc` query-param support. This was not observed in the diff.
- **Security note:** The bot sends plaintext passwords in URLs (`?sc=<password>`). This is pre-existing behavior and outside the scope of this batch.
## Summary
- **Compilation:** Clean.
- **Password logic:** Exists in the bot, but is self-contained and does not conflict with the frontend fix.
- **No blockers identified for Batch 3.**