search

BJS Security

BJS is very powerful and flexible. But with this. But simply make the code vulnerable.

triangle-exclamation

Please read this article carefully

Especially if you work with payments, user balances, sell goods through a bot

hashtag
Any user can execute any command

Vulnerable command /setBalance:

// admin can add 100$ to users's balance by it telegramid

tgID = params

let res = Libs.ResourcesLib.anotherUserRes("money", tgID);
res.add(100)
Bot.sendMessage("Added 100$ for user");
triangle-exclamation

Any user can run /setBalance [telegramid]

So need check execute this command only for admin:

1.Add this command to grouparrow-up-right

add admin to group "admin":

2. Or you can check admin in BJS

first you need get ADMIN_TELEGRAM_ID

security command:

hashtag
Any user can execute any "SECRET" command

For example, you have command /payment (have "Wait for answer") with execute other "secret" command /setBalance :

"Secret" command /setBalance

So user must:

  • run /payment command

  • type secret one time password

  • after it - "secret" command "/setBalance" will be runned

Vulnerability: hacker can run /setBalance only and get bonus immediately

Need to checking that command /setBalance was runned only by command /payment

one of the methods - pass secret on run command as params:

command /payment

triangle-exclamation

Do not use "GJHURFVJLHF" secret!

It is not secret world already: hacker can read this doc too!

command /setBalance

hashtag
User can run secret command on group chat

It can be accidentally or deliberately provoked by a hacker.

If you have a secret command with a secret result, do not run it in a group chat:

hashtag
Recommendations

hashtag
Do not share your bot token, BB API Key

Bot token and BB API Key - are is very vulnerability data. Do not share theys anywhere!

hashtag
Avoid using safe data in protected bot

See full article here

hashtag

hashtag
Do not share your BB Bot ID

This can sometimes be unsafe.

hashtag
Do not use default command names "/onIncome", "/onTransaction" for important commands

Hacker can brute force such command names and try to execute it

hashtag
Remove /test command

If you have any /test command with non security BJS - remove it.

Hacker can execute /test too

hashtag
Use completed_commands_count variable

Anybody can run any command. But it is possible make secured sub command.

For example command /admin

command /secure

hashtag
Do not use any non official libs now.

triangle-exclamation

Do not use any non official libs now.

  • Any lib can run command with options.

  • Any libs can read properties (and read your API Keys from other lib)

We have not way to protect this now. Just not use NON official libs with CP lib. Well, that now there are no such libraries

hashtag
Bad practice

hashtag
User can change nickname

Bad BJS:

triangle-exclamation

Any user can set any first_name, last_name and etc

Hacker can change or create account with this field

hashtag

hashtag
Use eval method with care

You can use eval for calculation

With such code you can make math calculator.

But it is very danger! User can run anything!

For example, user can pass BJS code: bot.token. And bot will send your bot token!

hashtag
See BB reports

Read infoarrow-up-right about BB report. Demo report have nice recommendations.

PreviousInline BotNextGood coding practices

Last updated