From 1636fedbd46691ece874fcf7425e2178da47ddc5 Mon Sep 17 00:00:00 2001 From: Kenneth Lien Date: Fri, 20 Mar 2026 11:56:57 -0700 Subject: [PATCH] Sanitize user-controlled filenames and download path components MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - safeName() strips <>[]\r\n; from file_name/title before they hit the notification — delimiter chars would let an uploader break out of the tag or forge meta entries - download_attachment strips ext/uniqueId to alphanumeric before join() — defense-in-depth against path traversal (file_unique_id is Telegram-controlled so this is belt-and-braces) --- external_plugins/telegram/server.ts | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/external_plugins/telegram/server.ts b/external_plugins/telegram/server.ts index a1b88f8..0cff1f0 100644 --- a/external_plugins/telegram/server.ts +++ b/external_plugins/telegram/server.ts @@ -499,8 +499,11 @@ mcp.setRequestHandler(CallToolRequestSchema, async req => { const res = await fetch(url) if (!res.ok) throw new Error(`download failed: HTTP ${res.status}`) const buf = Buffer.from(await res.arrayBuffer()) - const ext = file.file_path.split('.').pop() ?? 'bin' - const uniqueId = file.file_unique_id ?? file_id.slice(0, 12) + // file_path is from Telegram (trusted), but strip to safe chars anyway + // so nothing downstream can be tricked by an unexpected extension. + const rawExt = file.file_path.includes('.') ? file.file_path.split('.').pop()! : 'bin' + const ext = rawExt.replace(/[^a-zA-Z0-9]/g, '') || 'bin' + const uniqueId = (file.file_unique_id ?? '').replace(/[^a-zA-Z0-9_-]/g, '') || 'dl' const path = join(INBOX_DIR, `${Date.now()}-${uniqueId}.${ext}`) mkdirSync(INBOX_DIR, { recursive: true }) writeFileSync(path, buf) @@ -565,13 +568,14 @@ bot.on('message:photo', async ctx => { bot.on('message:document', async ctx => { const doc = ctx.message.document - const text = ctx.message.caption ?? `(document: ${doc.file_name ?? 'file'})` + const name = safeName(doc.file_name) + const text = ctx.message.caption ?? `(document: ${name ?? 'file'})` await handleInbound(ctx, text, undefined, { kind: 'document', file_id: doc.file_id, size: doc.file_size, mime: doc.mime_type, - name: doc.file_name, + name, }) }) @@ -588,13 +592,14 @@ bot.on('message:voice', async ctx => { bot.on('message:audio', async ctx => { const audio = ctx.message.audio - const text = ctx.message.caption ?? `(audio: ${audio.title ?? audio.file_name ?? 'audio'})` + const name = safeName(audio.file_name) + const text = ctx.message.caption ?? `(audio: ${safeName(audio.title) ?? name ?? 'audio'})` await handleInbound(ctx, text, undefined, { kind: 'audio', file_id: audio.file_id, size: audio.file_size, mime: audio.mime_type, - name: audio.file_name, + name, }) }) @@ -606,7 +611,7 @@ bot.on('message:video', async ctx => { file_id: video.file_id, size: video.file_size, mime: video.mime_type, - name: video.file_name, + name: safeName(video.file_name), }) }) @@ -637,6 +642,13 @@ type AttachmentMeta = { name?: string } +// Filenames and titles are uploader-controlled. They land inside the +// notification — delimiter chars would let the uploader break out of the tag +// or forge a second meta entry. +function safeName(s: string | undefined): string | undefined { + return s?.replace(/[<>\[\]\r\n;]/g, '_') +} + async function handleInbound( ctx: Context, text: string,