fix chat telegram artifact filename sanitization

[hhyunbreh]

Fixes #552.

Summary

• sanitize the Telegram bot username for the local manifest filename
• prevent path separators from escaping ctx.outDir
• keep the normalized username for Telegram API calls and public t.me URLs
• add regression coverage for a ../demo/bot username

Tests

• chat-telegram tests passed
• chat-telegram typecheck passed

[greptile-apps]

Greptile Summary

This PR fixes a path-traversal risk in the Telegram adapter's build() method, where a malicious botUsername (e.g. ../../../etc/hosts) could have caused the manifest artifact to be written outside the intended output directory. It adds safeFilename() to strip non-alphanumeric characters and switches from string template concatenation to path.join().

• Added safeFilename(value) which replaces any character outside [a-zA-Z0-9_-] with _, and applies it to the normalized username before constructing the artifact path.
• Updated build() to call normalizeUsername() (matching the existing behavior in ship()) and use path.join() instead of raw string interpolation.
• Added a unit test with botUsername: '../demo/bot' to assert the sanitized artifact path.

Confidence Score: 5/5

Safe to merge — the change is narrowly scoped to the artifact path construction in build(), the fix is correct, and the new test directly covers the path-traversal case.

The sanitization logic is straightforward: normalizeUsername strips the @ prefix, safeFilename converts every non-alphanumeric character to _, and path.join assembles the final path. All three steps are necessary and work correctly together. The test input (../demo/bot → telegram-___demo_bot.json) exercises the primary concern and the expectation is verified end-to-end. No other code paths are affected by this change.

No files require special attention.

Important Files Changed

Filename	Overview
packages/targets/chat-telegram/src/index.ts	Adds safeFilename() to sanitize botUsername before it's embedded in the artifact file path, and switches from string template concatenation to path.join() — eliminating a potential path-traversal issue in build().
packages/targets/chat-telegram/src/index.test.ts	Adds a focused regression test for the sanitization fix using a path-traversal-style username (../demo/bot), verifying the artifact path is correctly sanitized to telegram-___demo_bot.json.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[build called with config.botUsername] --> B[normalizeUsername\nstrip leading '@', trim whitespace]
    B --> C{empty after normalization?}
    C -- yes --> D[throw 'botUsername is required']
    C -- no --> E[safeFilename\nreplace non-alphanumeric with '_']
    E --> F[path.join outDir, 'telegram-' + safeUsername + '.json']
    F --> G[return artifact path]

Loading

_{Reviews (1): Last reviewed commit: "fix chat telegram artifact filename sani..." | Re-trigger Greptile}