Validate Telegram delivery targets to reject invalid formats (#21930)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 02c9b1c3dd Co-authored-by: kesor <7056+kesor@users.noreply.github.com> Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com> Reviewed-by: @obviyus
2026-05-08 02:51:24 +00:00 · 2026-02-23 07:14:46 +02:00
parent 23598e0e3a
commit 78f801e243
3 changed files with 105 additions and 0 deletions
--- a/src/cron/service/jobs.ts
+++ b/src/cron/service/jobs.ts
@@ -83,6 +83,23 @@ export function assertSupportedJobSpec(job: Pick<CronJob, "sessionTarget" | "pay
  }
 }

+const TELEGRAM_TME_URL_REGEX = /^https?:\/\/t\.me\/|t\.me\//i;
+const TELEGRAM_SLASH_TOPIC_REGEX = /^-?\d+\/\d+$/;
+
+function validateTelegramDeliveryTarget(to: string | undefined): string | undefined {
+  if (!to) {
+    return undefined;
+  }
+  const trimmed = to.trim();
+  if (TELEGRAM_TME_URL_REGEX.test(trimmed)) {
+    return undefined;
+  }
+  if (TELEGRAM_SLASH_TOPIC_REGEX.test(trimmed)) {
+    return `Invalid Telegram delivery target "${to}". Use colon (:) as delimiter for topics, not slash. Valid formats: -1001234567890, -1001234567890:123, -1001234567890:topic:123, @username, https://t.me/username`;
+  }
+  return undefined;
+}
+
 function assertDeliverySupport(job: Pick<CronJob, "sessionTarget" | "delivery">) {
  if (!job.delivery) {
    return;
@@ -98,6 +115,12 @@ function assertDeliverySupport(job: Pick<CronJob, "sessionTarget" | "delivery">)
  if (job.sessionTarget !== "isolated") {
    throw new Error('cron channel delivery config is only supported for sessionTarget="isolated"');
  }
+  if (job.delivery.channel === "telegram") {
+    const telegramError = validateTelegramDeliveryTarget(job.delivery.to);
+    if (telegramError) {
+      throw new Error(telegramError);
+    }
+  }
 }

 export function findJobOrThrow(state: CronServiceState, id: string) {