From a7f6e0a9216c60f2220bc8671e20e77f30be0691 Mon Sep 17 00:00:00 2001 From: Martin-Max Date: Sun, 8 Mar 2026 08:27:25 +0800 Subject: [PATCH] fix(telegram): support negative IDs in groupAllowFrom (#36753) (#37134) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(telegram): support negative IDs in groupAllowFrom for group/channel whitelist (#36753) When configuring Telegram group restrictions with groupAllowFrom, negative group/channel IDs (e.g., -1001234567890) are rejected with 'authorization requires numeric Telegram sender IDs only' error, even though the field name suggests it should accept group IDs. Root cause: - normalizeAllowFrom() uses regex /^\d+$/ to validate IDs - Telegram group/channel IDs are negative integers - Regex only matches positive integers, rejecting all group IDs Impact: - Users cannot whitelist specific groups using groupAllowFrom - Workaround requires groupPolicy: "open" (security risk) - Field name is misleading (suggests group IDs, but only accepts user IDs) Fix: - Change regex from /^\d+$/ to /^-?\d+$/ (support optional minus sign) - Apply to both invalidEntries filter and ids filter - Add comment explaining negative ID support for groups/channels Testing: - Positive user IDs (745123456) → ✅ still work - Negative group IDs (-1001234567890) → ✅ now accepted - Invalid entries (@username) → ⚠️ still warned Fixes #36753 * test(telegram): add signed ID runtime regression --------- Co-authored-by: Martin Qiu Co-authored-by: Vincent Koc --- src/telegram/bot-access.test.ts | 15 +++++++++++++++ src/telegram/bot-access.ts | 5 +++-- 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 src/telegram/bot-access.test.ts diff --git a/src/telegram/bot-access.test.ts b/src/telegram/bot-access.test.ts new file mode 100644 index 00000000000..b52e51faf87 --- /dev/null +++ b/src/telegram/bot-access.test.ts @@ -0,0 +1,15 @@ +import { describe, expect, it } from "vitest"; +import { normalizeAllowFrom } from "./bot-access.js"; + +describe("normalizeAllowFrom", () => { + it("accepts signed numeric Telegram IDs and rejects usernames", () => { + const result = normalizeAllowFrom(["-1001234567890", " tg:-100999 ", "745123456", "@someone"]); + + expect(result).toEqual({ + entries: ["-1001234567890", "-100999", "745123456"], + hasWildcard: false, + hasEntries: true, + invalidEntries: ["@someone"], + }); + }); +}); diff --git a/src/telegram/bot-access.ts b/src/telegram/bot-access.ts index d08a54616f0..ac1e70f12bf 100644 --- a/src/telegram/bot-access.ts +++ b/src/telegram/bot-access.ts @@ -44,11 +44,12 @@ export const normalizeAllowFrom = (list?: Array): NormalizedAll const normalized = entries .filter((value) => value !== "*") .map((value) => value.replace(/^(telegram|tg):/i, "")); - const invalidEntries = normalized.filter((value) => !/^\d+$/.test(value)); + // Support negative IDs for Telegram group/channel IDs (e.g., -1001234567890) + const invalidEntries = normalized.filter((value) => !/^-?\d+$/.test(value)); if (invalidEntries.length > 0) { warnInvalidAllowFromEntries([...new Set(invalidEntries)]); } - const ids = normalized.filter((value) => /^\d+$/.test(value)); + const ids = normalized.filter((value) => /^-?\d+$/.test(value)); return { entries: ids, hasWildcard,