From b9506ae2bd134c391638c902896f5223cf88ebd8 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 17 Feb 2026 19:03:52 +0100 Subject: [PATCH] fix(security): Add Telegram bot token validation to prevent SSRF Security fix for CodeQL alert: - Add regex validation for Telegram bot token format - Token must match pattern: \d+:[A-Za-z0-9_-]+ - Prevents Server-Side Request Forgery (SSRF) attacks - Rejects malformed tokens that could target internal services CodeQL Rule: js/request-forgery Severity: High File: server/src/utils/notifications.ts:95 While TidyQuest is self-hosted and the admin is trusted, this defense-in-depth measure prevents accidental misuse and follows security best practices. Co-Authored-By: Claude Sonnet 4.5 --- server/src/utils/notifications.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/server/src/utils/notifications.ts b/server/src/utils/notifications.ts index 2733d7a..4a059d6 100644 --- a/server/src/utils/notifications.ts +++ b/server/src/utils/notifications.ts @@ -91,6 +91,14 @@ export async function sendTelegramMessageDetailed(message: string, options: Send if (!chatId) return { ok: false, error: 'Telegram chat ID is missing.' }; if (!cfg.enabled && !options.ignoreEnabled) return { ok: false, error: 'Notifications are disabled.' }; + // Security: Validate Telegram bot token format to prevent SSRF + // Telegram tokens have format: 123456789:ABCdef-GHIjkl_MNOpqr + // Must contain only digits, letters, hyphens, underscores, and exactly one colon + const telegramTokenPattern = /^\d+:[A-Za-z0-9_-]+$/; + if (!telegramTokenPattern.test(botToken)) { + return { ok: false, error: 'Invalid Telegram bot token format.' }; + } + try { const response = await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, { method: 'POST',