fix(security): Add Telegram bot token validation to prevent SSRF

Security fix for CodeQL alert:
- Add regex validation for Telegram bot token format
- Token must match pattern: \d+:[A-Za-z0-9_-]+
- Prevents Server-Side Request Forgery (SSRF) attacks
- Rejects malformed tokens that could target internal services

CodeQL Rule: js/request-forgery
Severity: High
File: server/src/utils/notifications.ts:95

While TidyQuest is self-hosted and the admin is trusted, this
defense-in-depth measure prevents accidental misuse and follows
security best practices.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
root 2026-02-17 19:03:52 +01:00
parent ca42323934
commit b9506ae2bd

View file

@ -91,6 +91,14 @@ export async function sendTelegramMessageDetailed(message: string, options: Send
if (!chatId) return { ok: false, error: 'Telegram chat ID is missing.' }; if (!chatId) return { ok: false, error: 'Telegram chat ID is missing.' };
if (!cfg.enabled && !options.ignoreEnabled) return { ok: false, error: 'Notifications are disabled.' }; if (!cfg.enabled && !options.ignoreEnabled) return { ok: false, error: 'Notifications are disabled.' };
// Security: Validate Telegram bot token format to prevent SSRF
// Telegram tokens have format: 123456789:ABCdef-GHIjkl_MNOpqr
// Must contain only digits, letters, hyphens, underscores, and exactly one colon
const telegramTokenPattern = /^\d+:[A-Za-z0-9_-]+$/;
if (!telegramTokenPattern.test(botToken)) {
return { ok: false, error: 'Invalid Telegram bot token format.' };
}
try { try {
const response = await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, { const response = await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
method: 'POST', method: 'POST',