fix(telegram): add timeout to file download to prevent DoS (CWE-400)

Add AbortSignal.timeout() to both fetch calls in download.ts to prevent
indefinite hangs when Telegram API is slow or unresponsive.

- getTelegramFile(): 30s timeout for metadata API call
- downloadTelegramFile(): 60s timeout for file download

Both functions now accept optional timeoutMs parameter for configurability.

Fixes #6849

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/telegram/download.ts

@@ -8,9 +8,14 @@ export type TelegramFileInfo = {
   file_path?: string;
 };
 
-export async function getTelegramFile(token: string, fileId: string): Promise<TelegramFileInfo> {
+export async function getTelegramFile(
+  token: string,
+  fileId: string,
+  timeoutMs = 30_000,
+): Promise<TelegramFileInfo> {
   const res = await fetch(
     `https://api.telegram.org/bot${token}/getFile?file_id=${encodeURIComponent(fileId)}`,
+    { signal: AbortSignal.timeout(timeoutMs) },
   );
   if (!res.ok) {
     throw new Error(`getFile failed: ${res.status} ${res.statusText}`);
@@ -26,12 +31,13 @@ export async function downloadTelegramFile(
   token: string,
   info: TelegramFileInfo,
   maxBytes?: number,
+  timeoutMs = 60_000,
 ): Promise<SavedMedia> {
   if (!info.file_path) {
     throw new Error("file_path missing");
   }
   const url = `https://api.telegram.org/file/bot${token}/${info.file_path}`;
-  const res = await fetch(url);
+  const res = await fetch(url, { signal: AbortSignal.timeout(timeoutMs) });
   if (!res.ok || !res.body) {
     throw new Error(`Failed to download telegram file: HTTP ${res.status}`);
   }