Security fix for CodeQL alert: - Add regex validation for Telegram bot token format - Token must match pattern: \d+:[A-Za-z0-9_-]+ - Prevents Server-Side Request Forgery (SSRF) attacks - Rejects malformed tokens that could target internal services CodeQL Rule: js/request-forgery Severity: High File: server/src/utils/notifications.ts:95 While TidyQuest is self-hosted and the admin is trusted, this defense-in-depth measure prevents accidental misuse and follows security best practices. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| middleware | ||
| routes | ||
| utils | ||
| database.ts | ||
| index.ts | ||