fix: allow Telegram RFC2544 media downloads (#57624) (thanks @MoerAI)

* fix(telegram): allow RFC 2544 benchmark IPs in media download SSRF policy (#57452) Telegram CDN file servers may resolve to IPs in the RFC 2544 benchmark range (198.18.0.0/15). The SSRF policy blocked these downloads while Discord and Slack correctly allowed them. Set allowRfc2544BenchmarkRange to true to match other channel plugins. * fix: note Telegram media RFC2544 CDN downloads (#57624) (thanks @MoerAI) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-05-04 09:40:21 +00:00 · 2026-03-31 13:23:31 +09:00
parent 9d9ee0f313
commit e89bd883d8
3 changed files with 4 additions and 3 deletions
--- a/extensions/telegram/src/bot/delivery.resolve-media-retry.test.ts
+++ b/extensions/telegram/src/bot/delivery.resolve-media-retry.test.ts
@@ -155,7 +155,7 @@ async function expectTransientGetFileRetrySuccess() {
    expect.objectContaining({
      url: `https://api.telegram.org/file/bot${BOT_TOKEN}/voice/file_0.oga`,
      ssrfPolicy: {
-        allowRfc2544BenchmarkRange: false,
+        allowRfc2544BenchmarkRange: true,
        hostnameAllowlist: ["api.telegram.org"],
      },
    }),
@@ -533,7 +533,7 @@ describe("resolveMedia original filename preservation", () => {
        ssrfPolicy: {
          hostnameAllowlist: ["api.telegram.org", "192.168.1.50"],
          allowedHostnames: ["192.168.1.50"],
-          allowRfc2544BenchmarkRange: false,
+          allowRfc2544BenchmarkRange: true,
        },
      }),
    );
--- a/extensions/telegram/src/bot/delivery.resolve-media.ts
+++ b/extensions/telegram/src/bot/delivery.resolve-media.ts
@@ -41,7 +41,7 @@ function buildTelegramMediaSsrfPolicy(apiRoot?: string) {
    // enforcing SSRF checks on the resolved and redirected targets.
    hostnameAllowlist: hostnames,
    ...(allowedHostnames ? { allowedHostnames } : {}),
-    allowRfc2544BenchmarkRange: false,
+    allowRfc2544BenchmarkRange: true,
  };
 }