TidyQuest/server/src
root b9506ae2bd fix(security): Add Telegram bot token validation to prevent SSRF
Security fix for CodeQL alert:
- Add regex validation for Telegram bot token format
- Token must match pattern: \d+:[A-Za-z0-9_-]+
- Prevents Server-Side Request Forgery (SSRF) attacks
- Rejects malformed tokens that could target internal services

CodeQL Rule: js/request-forgery
Severity: High
File: server/src/utils/notifications.ts:95

While TidyQuest is self-hosted and the admin is trusted, this
defense-in-depth measure prevents accidental misuse and follows
security best practices.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-17 19:03:52 +01:00
..
middleware Initial release: TidyQuest v0.1.0 2026-02-17 18:40:09 +01:00
routes Initial release: TidyQuest v0.1.0 2026-02-17 18:40:09 +01:00
utils fix(security): Add Telegram bot token validation to prevent SSRF 2026-02-17 19:03:52 +01:00
database.ts Initial release: TidyQuest v0.1.0 2026-02-17 18:40:09 +01:00
index.ts Initial release: TidyQuest v0.1.0 2026-02-17 18:40:09 +01:00