From 1a0036283d815766ee05a970cf56bcf03b3d78db Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Tue, 3 Mar 2026 02:23:39 +0000 Subject: [PATCH] refactor(security): dedupe telegram allowlist validation loops --- src/security/audit-channel.ts | 83 ++++++++++++++++------------------- 1 file changed, 38 insertions(+), 45 deletions(-) diff --git a/src/security/audit-channel.ts b/src/security/audit-channel.ts index 551437ffdce..3761db5820d 100644 --- a/src/security/audit-channel.ts +++ b/src/security/audit-channel.ts @@ -39,6 +39,24 @@ function addDiscordNameBasedEntries(params: { } } +function collectInvalidTelegramAllowFromEntries(params: { + entries: unknown; + target: Set; +}): void { + if (!Array.isArray(params.entries)) { + return; + } + for (const entry of params.entries) { + const normalized = normalizeTelegramAllowFromEntry(entry); + if (!normalized || normalized === "*") { + continue; + } + if (!isNumericTelegramUserId(normalized)) { + params.target.add(normalized); + } + } +} + function classifyChannelWarningSeverity(message: string): SecurityAuditSeverity { const s = message.toLowerCase(); if ( @@ -531,38 +549,23 @@ export async function collectChannelSecurityFindings(params: { ).catch(() => []); const storeHasWildcard = storeAllowFrom.some((v) => String(v).trim() === "*"); const invalidTelegramAllowFromEntries = new Set(); - for (const entry of storeAllowFrom) { - const normalized = normalizeTelegramAllowFromEntry(entry); - if (!normalized || normalized === "*") { - continue; - } - if (!isNumericTelegramUserId(normalized)) { - invalidTelegramAllowFromEntries.add(normalized); - } - } + collectInvalidTelegramAllowFromEntries({ + entries: storeAllowFrom, + target: invalidTelegramAllowFromEntries, + }); const groupAllowFrom = Array.isArray(telegramCfg.groupAllowFrom) ? telegramCfg.groupAllowFrom : []; const groupAllowFromHasWildcard = groupAllowFrom.some((v) => String(v).trim() === "*"); - for (const entry of groupAllowFrom) { - const normalized = normalizeTelegramAllowFromEntry(entry); - if (!normalized || normalized === "*") { - continue; - } - if (!isNumericTelegramUserId(normalized)) { - invalidTelegramAllowFromEntries.add(normalized); - } - } + collectInvalidTelegramAllowFromEntries({ + entries: groupAllowFrom, + target: invalidTelegramAllowFromEntries, + }); const dmAllowFrom = Array.isArray(telegramCfg.allowFrom) ? telegramCfg.allowFrom : []; - for (const entry of dmAllowFrom) { - const normalized = normalizeTelegramAllowFromEntry(entry); - if (!normalized || normalized === "*") { - continue; - } - if (!isNumericTelegramUserId(normalized)) { - invalidTelegramAllowFromEntries.add(normalized); - } - } + collectInvalidTelegramAllowFromEntries({ + entries: dmAllowFrom, + target: invalidTelegramAllowFromEntries, + }); const anyGroupOverride = Boolean( groups && Object.values(groups).some((value) => { @@ -572,15 +575,10 @@ export async function collectChannelSecurityFindings(params: { const group = value as Record; const allowFrom = Array.isArray(group.allowFrom) ? group.allowFrom : []; if (allowFrom.length > 0) { - for (const entry of allowFrom) { - const normalized = normalizeTelegramAllowFromEntry(entry); - if (!normalized || normalized === "*") { - continue; - } - if (!isNumericTelegramUserId(normalized)) { - invalidTelegramAllowFromEntries.add(normalized); - } - } + collectInvalidTelegramAllowFromEntries({ + entries: allowFrom, + target: invalidTelegramAllowFromEntries, + }); return true; } const topics = group.topics; @@ -593,15 +591,10 @@ export async function collectChannelSecurityFindings(params: { } const topic = topicValue as Record; const topicAllow = Array.isArray(topic.allowFrom) ? topic.allowFrom : []; - for (const entry of topicAllow) { - const normalized = normalizeTelegramAllowFromEntry(entry); - if (!normalized || normalized === "*") { - continue; - } - if (!isNumericTelegramUserId(normalized)) { - invalidTelegramAllowFromEntries.add(normalized); - } - } + collectInvalidTelegramAllowFromEntries({ + entries: topicAllow, + target: invalidTelegramAllowFromEntries, + }); return topicAllow.length > 0; }); }),