🧙 Expelliarmus Maxima — Mediabot v3 Deep Audit Sessions (May 2026)

Overview

Over a series of intensive audit sessions covering 43 snapshots, every module in Mediabot v3 was reviewed for bugs, security issues, and improvement opportunities. This post summarises all the work done since the last forum article.

🔴 Critical Bugs Fixed

🔒 Auth & Security

• Auth::new() missing bot => — noticeConsoleChan in cleanup_stale_sessions was silently broken because $self->{bot} was never set. Fixed in both LoginCommands::init_auth() and User::maybe_autologin().
• Auth::maybe_autologin missing conf => — inconsistency with init_auth(); now passes the full set of named args.
• _mask_matches_irc regex backtracking — IRC wildcard patterns like *!*@* converted to Perl regex without protection against catastrophic backtracking. Wrapped in eval {}.
• setTMDBLangChannel_ctx unvalidated lang — a 1000-char string could be stored as the TMDB language. Now validated against /^[a-z]{2}(-[A-Z]{2})?$/.

🌐 HTTP / Network

• 11 HTTP calls without eval in External.pm — getYoutubeDetails, displayWeather_ctx, _handle_instagram, _handle_spotify, _handle_applemusic, _handle_facebook, _handle_generic_title, fortniteStats_ctx, get_tmdb_info, and two others. HTTP::Tiny can throw exceptions on DNS/network failures; all calls now wrapped in eval {} with a fallback { success => 0 } response.
• _openai_run_test HTTP synchronous — the parent IRC event loop was blocked for up to 20s during OpenAI API calls. Both the primary and fallback calls are now wrapped in eval {} and use External::_make_http() for consistency.
• _handle_facebook unprotected get() — same issue; fixed with eval {}.

🗄️ Database

• purgeChannel_ctx incomplete cascade — deleting a channel left orphan rows in CHANNEL_BAN, CHANNEL_SET, CHANNEL_LOG, BADWORDS, and QUOTES. The deletion is now wrapped in a begin_work/commit/rollback transaction with full cascade.
• purgeChannel_ctx wrong send_message("PART", ...) syntax — the channel name was passed as the prefix rather than the first argument.
• delUser_ctx no cascade on USER_SEEN — deleting a user left entries in USER_SEEN. Now cleaned up atomically.
• delUser_ctx no transaction — three sequential do() calls with no error handling. Wrapped in begin_work/commit/rollback.
• _birthday_valid_date no days-per-month check — February 31st was accepted. Now validates against a per-month days array with leap-year support.
• mbQuoteAdd no length limit — quote text was stored without any size constraint. Now capped at 512 chars.
• $search_limit ignored in mbDbSearchCommand_ctx SQL — the variable was parsed but LIMIT 50 was hardcoded. Now uses LIMIT ? with $search_limit.
• Yomomma_ctx and mbQuoteRand — LIMIT 1 OFFSET $offset used direct interpolation. Fixed to use ? placeholder.

🤖 Partyline

• auth_stage not cleared after login — all commands typed after login were logged as ***** (masked as passwords). Fixed by setting auth_stage = undef after successful authentication.
• .schedule double dispatch — two elsif blocks with different regexes; the second was dead code. Merged into a single regex (?:\s+(\S+)(?:\s+(\S+))?)?.
• .uptime and _cmd_uptime both duplicated — stale merge artefacts. Removed.
• .eval pipe read blocking — while (<$pipe>) in the parent blocked the IO::Async event loop. Replaced with IO::Async::Stream + IO::Async::Timer::Countdown watchdog.
• if ($pid == 0) {} empty block — dead code vestige before the real child block.

🧩 Misc

• _openai_run_test used HTTP::Tiny->new directly — inconsistent with External::_make_http(). Fixed.
• AdminCommands mbExec_ctx command length unchecked — any-length shell command accepted. Capped at 512 chars.
• channelSet_ctx chanmode/key unvalidated — arbitrary strings could be stored. chanmode now validated against /^[+-]?[a-zA-Z]+$/ ≤ 32 chars; key validated as no-spaces ≤ 64 chars.
• set_hailo_channel_ratio no range check — ratio stored without [0, 100] validation.
• mbDbAddCommand_ctx action text after wrong shift — $action_text was calculated before $sType and $sCategory were extracted.

🟠 Improvements

🔧 Robustness

• botNotice now truncates at 400 chars — same as botPrivmsg.
• botAction double-encode simplified — redundant if/else around a single encode() call removed.
• use Encode moved to header in Helpers.pm — was declared mid-file after first use.
• cleanup_stale_sessions wired to Scheduler — runs every hour; notifies noticeConsoleChan when sessions are pruned.
• _birthday_add_ctx, _birthday_del_ctx, _birthday_next_ctx implemented — were called from UserCommands but never defined.
• delUser_ctx two-step confirmation — permanent deletion requires repeating the command within 30 seconds.
• checkAuth prefers Auth::verify_credentials — falls back to legacy make_password_hash path when BCrypt is unavailable.

🌐 HTTP / External

• All HTTP::Tiny->new(...) in External.pm replaced by _make_http() — centralises SSL options and timeout settings.
• displayWeather_ctx now uses _make_http(verify_SSL => 1).
• _repair_utf8_mojibake detection broadened — now catches [\xC0-\xFF]{2,} sequences in addition to [ÃÂâ].
• openai.TIMEOUT configurable in mediabot.conf (min 5s, max 60s, default 20s).
• chromium.VIRTUAL_TIME_BUDGET and chromium.ALARM_TIMEOUT configurable in mediabot.conf.
• Radio::Icecast::new accepts ua => — callers can inject a pre-built _make_http() handle.

🛠️ Partyline

• .schedule restart <name> — calls Scheduler::restart() to stop and restart a task without restarting the bot.
• .schedule list/status — shows all tasks with interval, status, and tick count in a tabular format.
• .uptime — shows bot uptime formatted as Xd Xh Xm Xs.
• .log [n] — opens the log file with <:utf8 encoding.
• .bans #chan — shows N active ban(s) (showing M) with in Xh Ym expiry deltas.
• .whois <nick> added to .help output.
• noticeConsoleChan for .eval — logs a truncated summary (60 chars + total length).

🗄️ Database

• purge_channel_log and purge_user_seen — daily Scheduler tasks with configurable retention via CHANNEL_LOG_RETENTION_DAYS / USER_SEEN_RETENTION_DAYS. Use ensure_connected() to survive DB reconnects.
• mbTimers_ctx — Scheduler tasks shown in aligned columns alongside DB timers.
• !timers — $sth->finish added after the fetch loop.
• mbDbAddCommand_ctx — command name validated: /^[a-zA-Z0-9_-]+$/ ≤ 64 chars; action ≤ 512 chars.
• mbDbAddCategoryCommand_ctx — category name validated ≤ 64 chars + alphanumeric.
• !searchcmd <term> [limit] — limit parameter (1–20, default 5) parsed and passed to LIMIT ?.
• list_active_bans($id, $limit) — accepts an optional limit; callers now pass 11 to detect overflow without loading all bans.

🔐 Auth

• _password_matches — comment documents all supported formats (MySQL PASSWORD(), BCrypt) and explicitly notes that SHA1 #prefix is not supported by design.

🧹 Code Quality

• 21 emoji characters removed from log(0,...) and log(1,...) across 7 modules — em-dashes (—), arrows (→), and emoji (🔍 🚫 ⚠️ ✅ ℹ️) replaced with ASCII equivalents in production-level log messages.
• Conf.pm warn — only emitted once before logger is attached (_warned_no_logger flag).
• DB.pm em-dash in log(0) — — → --.

📦 Files Changed

“The spells have been cast. The Dark Lord of race conditions has been banished.” 🪄