Security fix for CodeQL alert: - Add regex validation for Telegram bot token format - Token must match pattern: \d+:[A-Za-z0-9_-]+ - Prevents Server-Side Request Forgery (SSRF) attacks - Rejects malformed tokens that could target internal services CodeQL Rule: js/request-forgery Severity: High File: server/src/utils/notifications.ts:95 While TidyQuest is self-hosted and the admin is trusted, this defense-in-depth measure prevents accidental misuse and follows security best practices. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| src | ||
| package-lock.json | ||
| package.json | ||
| tsconfig.json | ||