fix(telegram): add timeout to file download to prevent DoS (CWE-400)

Add AbortSignal.timeout() to both fetch calls in download.ts to prevent indefinite hangs when Telegram API is slow or unresponsive. - getTelegramFile(): 30s timeout for metadata API call - downloadTelegramFile(): 60s timeout for file download Both functions now accept optional timeoutMs parameter for configurability. Fixes #6849 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 13:55:17 +08:00 · 2026-02-02 13:55:17 +08:00 · d46b489e21
commit d46b489e21
parent 935a0e5708
1 changed files with 8 additions and 2 deletions
--- a/src/telegram/download.ts
+++ b/src/telegram/download.ts
@ -8,9 +8,14 @@ export type TelegramFileInfo = {
  file_path?: string;
 };

-export async function getTelegramFile(token: string, fileId: string): Promise<TelegramFileInfo> {
+export async function getTelegramFile(
+  token: string,
+  fileId: string,
+  timeoutMs = 30_000,
+): Promise<TelegramFileInfo> {
  const res = await fetch(
    `https://api.telegram.org/bot${token}/getFile?file_id=${encodeURIComponent(fileId)}`,
+    { signal: AbortSignal.timeout(timeoutMs) },
  );
  if (!res.ok) {
    throw new Error(`getFile failed: ${res.status} ${res.statusText}`);
@ -26,12 +31,13 @@ export async function downloadTelegramFile(
  token: string,
  info: TelegramFileInfo,
  maxBytes?: number,
+  timeoutMs = 60_000,
 ): Promise<SavedMedia> {
  if (!info.file_path) {
    throw new Error("file_path missing");
  }
  const url = `https://api.telegram.org/file/bot${token}/${info.file_path}`;
-  const res = await fetch(url);
+  const res = await fetch(url, { signal: AbortSignal.timeout(timeoutMs) });
  if (!res.ok || !res.body) {
    throw new Error(`Failed to download telegram file: HTTP ${res.status}`);
  }