fix(security): Add Telegram bot token validation to prevent SSRF
Security fix for CodeQL alert: - Add regex validation for Telegram bot token format - Token must match pattern: \d+:[A-Za-z0-9_-]+ - Prevents Server-Side Request Forgery (SSRF) attacks - Rejects malformed tokens that could target internal services CodeQL Rule: js/request-forgery Severity: High File: server/src/utils/notifications.ts:95 While TidyQuest is self-hosted and the admin is trusted, this defense-in-depth measure prevents accidental misuse and follows security best practices. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
ca42323934
commit
b9506ae2bd
1 changed files with 8 additions and 0 deletions
|
|
@ -91,6 +91,14 @@ export async function sendTelegramMessageDetailed(message: string, options: Send
|
|||
if (!chatId) return { ok: false, error: 'Telegram chat ID is missing.' };
|
||||
if (!cfg.enabled && !options.ignoreEnabled) return { ok: false, error: 'Notifications are disabled.' };
|
||||
|
||||
// Security: Validate Telegram bot token format to prevent SSRF
|
||||
// Telegram tokens have format: 123456789:ABCdef-GHIjkl_MNOpqr
|
||||
// Must contain only digits, letters, hyphens, underscores, and exactly one colon
|
||||
const telegramTokenPattern = /^\d+:[A-Za-z0-9_-]+$/;
|
||||
if (!telegramTokenPattern.test(botToken)) {
|
||||
return { ok: false, error: 'Invalid Telegram bot token format.' };
|
||||
}
|
||||
|
||||
try {
|
||||
const response = await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
|
||||
method: 'POST',
|
||||
|
|
|
|||
Loading…
Reference in a new issue