security: Add Discord mention sanitization to prevent abuse

2026-01-11 17:56:15 +00:00 · 2026-01-02 16:18:16 +01:00
parent c56cd0b6b0
commit 56d8e431bd
3 changed files with 79 additions and 7 deletions
--- a/src/util/notifications/ErrorReportingWebhook.ts
+++ b/src/util/notifications/ErrorReportingWebhook.ts
@@ -28,7 +28,12 @@ const SANITIZE_PATTERNS: Array<[RegExp, string]> = [
    [/[A-Za-z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*/g, '[PATH_REDACTED]'],
    [/\/(?:home|Users)\/[^/\s]+(?:\/[^/\s]+)*/g, '[PATH_REDACTED]'],
    [/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/g, '[IP_REDACTED]'],
-    [/\b[A-Za-z0-9_-]{20,}\b/g, '[TOKEN_REDACTED]']
+    [/\b[A-Za-z0-9_-]{20,}\b/g, '[TOKEN_REDACTED]'],
+    // Discord mention sanitization (prevent @everyone, @here abuse)
+    [/@(everyone|here)/gi, '@\u200b$1'], // Zero-width space breaks mentions
+    [/<@!?(\d+)>/g, '@user'], // User mentions
+    [/<@&(\d+)>/g, '@role'], // Role mentions
+    [/<#(\d+)>/g, '#channel'] // Channel mentions
 ]

 function sanitizeSensitiveText(text: string): string {