diff --git a/extensions/telegram/src/channel-actions.ts b/extensions/telegram/src/channel-actions.ts index 8cb8ac43934..50f7826da70 100644 --- a/extensions/telegram/src/channel-actions.ts +++ b/extensions/telegram/src/channel-actions.ts @@ -70,6 +70,7 @@ function readTelegramMessageIdParam( const messageId = readNumberParam(params, "messageId", { required, integer: true, + strict: true, }); if (required && typeof messageId !== "number") { throw new Error("messageId is required."); @@ -79,8 +80,8 @@ function readTelegramMessageIdParam( function readTelegramTopicIdParam(params: Record): number | undefined { return ( - readNumberParam(params, "topicId", { integer: true }) ?? - readNumberParam(params, "threadId", { integer: true }) + readNumberParam(params, "topicId", { integer: true, strict: true }) ?? + readNumberParam(params, "threadId", { integer: true, strict: true }) ); } diff --git a/src/channels/plugins/actions/actions.test.ts b/src/channels/plugins/actions/actions.test.ts index 45b35ac7738..b9e8f8fdb55 100644 --- a/src/channels/plugins/actions/actions.test.ts +++ b/src/channels/plugins/actions/actions.test.ts @@ -913,6 +913,28 @@ describe("telegramMessageActions", () => { expect(handleTelegramAction).not.toHaveBeenCalled(); }); + it("rejects non-integer topic-delete ids before telegram-actions", async () => { + const cfg = telegramCfg(); + const handleAction = telegramMessageActions.handleAction; + if (!handleAction) { + throw new Error("telegram handleAction unavailable"); + } + + await expect( + handleAction({ + channel: "telegram", + action: "topic-delete", + params: { + to: "-1001234567890", + topicId: "271abc", + }, + cfg, + }), + ).rejects.toThrow(/threadId\/topicId is required for action=topic-delete/i); + + expect(handleTelegramAction).not.toHaveBeenCalled(); + }); + it("forwards trusted mediaLocalRoots for send", async () => { const cfg = telegramCfg(); await telegramMessageActions.handleAction?.({