Add more checks for msgIds when decrypting messages

gramjs/Version.ts

@@ -1 +1 @@
-export const version = "1.11.0";
+export const version = "1.11.1";

gramjs/network/MTProtoState.ts

@@ -17,6 +17,7 @@ export class MTProtoState {
     private id: bigInt.BigInteger;
     _sequence: number;
     private _lastMsgId: bigInt.BigInteger;
+    private msgIds: Set<String>;
 
     /**
      *
@@ -50,6 +51,7 @@ export class MTProtoState {
         this.salt = bigInt.zero;
         this._sequence = 0;
         this.id = this._lastMsgId = bigInt.zero;
+        this.msgIds = new Set();
         this.reset();
     }
 
@@ -61,6 +63,7 @@ export class MTProtoState {
         this.id = helpers.generateRandomLong(true);
         this._sequence = 0;
         this._lastMsgId = bigInt.zero;
+        this.msgIds = new Set<String>();
     }
 
     /**
@@ -230,6 +233,13 @@ export class MTProtoState {
         }
 
         const remoteMsgId = reader.readLong();
+        if (this.msgIds.has(remoteMsgId.toString())) {
+            throw new SecurityError("Duplicate msgIds");
+        }
+        if (remoteMsgId.lesser(this._lastMsgId)) {
+            throw new SecurityError("Received old message from server");
+        }
+        this.msgIds.add(remoteMsgId.toString());
         const remoteSequence = reader.readInt();
         reader.readInt(); // msgLen for the inner object, padding ignored
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "telegram",
-  "version": "1.11.0",
+  "version": "1.11.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "telegram",
-      "version": "1.11.0",
+      "version": "1.11.1",
       "license": "MIT",
       "dependencies": {
         "@cryptography/aes": "^0.1.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "telegram",
-  "version": "1.11.0",
+  "version": "1.11.1",
   "description": "NodeJS/Browser MTProto API Telegram client library,",
   "main": "index.js",
   "types": "index.d.ts",