fix(security): Add Telegram bot token validation to prevent SSRF
Security fix for CodeQL alert: - Add regex validation for Telegram bot token format - Token must match pattern: \d+:[A-Za-z0-9_-]+ - Prevents Server-Side Request Forgery (SSRF) attacks - Rejects malformed tokens that could target internal services CodeQL Rule: js/request-forgery Severity: High File: server/src/utils/notifications.ts:95 While TidyQuest is self-hosted and the admin is trusted, this defense-in-depth measure prevents accidental misuse and follows security best practices. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
ca42323934
commit
b9506ae2bd
1 changed files with 8 additions and 0 deletions
|
|
@ -91,6 +91,14 @@ export async function sendTelegramMessageDetailed(message: string, options: Send
|
||||||
if (!chatId) return { ok: false, error: 'Telegram chat ID is missing.' };
|
if (!chatId) return { ok: false, error: 'Telegram chat ID is missing.' };
|
||||||
if (!cfg.enabled && !options.ignoreEnabled) return { ok: false, error: 'Notifications are disabled.' };
|
if (!cfg.enabled && !options.ignoreEnabled) return { ok: false, error: 'Notifications are disabled.' };
|
||||||
|
|
||||||
|
// Security: Validate Telegram bot token format to prevent SSRF
|
||||||
|
// Telegram tokens have format: 123456789:ABCdef-GHIjkl_MNOpqr
|
||||||
|
// Must contain only digits, letters, hyphens, underscores, and exactly one colon
|
||||||
|
const telegramTokenPattern = /^\d+:[A-Za-z0-9_-]+$/;
|
||||||
|
if (!telegramTokenPattern.test(botToken)) {
|
||||||
|
return { ok: false, error: 'Invalid Telegram bot token format.' };
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const response = await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
|
const response = await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue