fix(security): validate cron deliver platform name to prevent env var enumeration

2026-04-04 23:38:55 +03:00 · 2026-04-04 23:38:55 +03:00 · 1ebc932417
commit 1ebc932417
parent ef3bd3b276
1 changed files with 8 additions and 1 deletions
--- a/cron/scheduler.py
+++ b/cron/scheduler.py
@ -135,7 +135,14 @@ def _resolve_delivery_target(job: dict) -> Optional[dict]:
            "thread_id": origin.get("thread_id"),
        }

-    chat_id = os.getenv(f"{platform_name.upper()}_HOME_CHANNEL", "")
+    _KNOWN_PLATFORMS = {
+            "telegram", "discord", "slack", "whatsapp", "signal",
+            "matrix", "mattermost", "dingtalk", "feishu", "wecom",
+            "sms", "email", "webhook",
+        }
+        if platform_name.lower() not in _KNOWN_PLATFORMS:
+            return None
+        chat_id = os.getenv(f"{platform_name.upper()}_HOME_CHANNEL", "")
    if not chat_id:
        return None