fix(e2e): bound Telegram Bot API helper bodies

vincentkoc · vincentkoc · commit 59205bd63c6a · 2026-05-28T22:01:36.000+02:00
diff --git a/scripts/e2e/telegram-bot-api.ts b/scripts/e2e/telegram-bot-api.ts
@@ -3,6 +3,7 @@ type JsonObject = Record<string, unknown>;
 type TelegramBotApiOptions = {
   baseUrl?: string;
   fetchImpl?: (url: string, init: RequestInit) => Promise<Response>;
+  maxBodyBytes?: number;
   timeoutMs?: number;
 };
 
@@ -12,6 +13,10 @@ const DEFAULT_TIMEOUT_MS = readPositiveInt(
   process.env.OPENCLAW_TELEGRAM_USER_BOT_API_TIMEOUT_MS,
   30000,
 );
+const DEFAULT_BODY_MAX_BYTES = readPositiveInt(
+  process.env.OPENCLAW_TELEGRAM_USER_BOT_API_BODY_MAX_BYTES,
+  1024 * 1024,
+);
 
 function readPositiveInt(raw: string | undefined, fallback: number) {
   const parsed = Number.parseInt(raw ?? "", 10);
@@ -23,6 +28,58 @@ function optionalString(source: JsonObject, key: string) {
   return typeof value === "string" && value.trim() ? value.trim() : undefined;
 }
 
+function taggedError(message: string, code: string) {
+  return Object.assign(new Error(message), { code });
+}
+
+async function readBoundedResponseText(
+  response: Response,
+  label: string,
+  byteLimit: number,
+  timeoutPromise: Promise<never>,
+) {
+  const contentLength = response.headers.get("content-length");
+  if (contentLength) {
+    const parsedLength = Number(contentLength);
+    if (Number.isSafeInteger(parsedLength) && parsedLength > byteLimit) {
+      await response.body?.cancel().catch(() => {});
+      throw taggedError(`${label} response body exceeded ${byteLimit} bytes`, "ETOOBIG");
+    }
+  }
+  if (!response.body) {
+    return "";
+  }
+
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  let byteCount = 0;
+  let text = "";
+  try {
+    while (true) {
+      const { done, value } = await Promise.race([reader.read(), timeoutPromise]);
+      if (done) {
+        return text + decoder.decode();
+      }
+      byteCount += value.byteLength;
+      if (byteCount > byteLimit) {
+        await reader.cancel().catch(() => {});
+        throw taggedError(`${label} response body exceeded ${byteLimit} bytes`, "ETOOBIG");
+      }
+      text += decoder.decode(value, { stream: true });
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+
+function parseJsonPayload(rawPayload: string, label: string) {
+  try {
+    return JSON.parse(rawPayload) as JsonObject;
+  } catch (error) {
+    throw new Error(`${label} returned invalid JSON`, { cause: error });
+  }
+}
+
 export async function telegramBotApi(
   token: string,
   method: string,
@@ -31,10 +88,9 @@ export async function telegramBotApi(
 ) {
   const baseUrl = options.baseUrl ?? DEFAULT_BASE_URL;
   const timeoutMs = Math.max(1, options.timeoutMs ?? DEFAULT_TIMEOUT_MS);
-  const timeoutError = Object.assign(
-    new Error(`Telegram Bot API ${method} timed out after ${timeoutMs}ms`),
-    { code: "ETIMEDOUT" },
-  );
+  const maxBodyBytes = Math.max(1, options.maxBodyBytes ?? DEFAULT_BODY_MAX_BYTES);
+  const label = `Telegram Bot API ${method}`;
+  const timeoutError = taggedError(`${label} timed out after ${timeoutMs}ms`, "ETIMEDOUT");
   const controller = new AbortController();
   let timeout: NodeJS.Timeout | undefined;
   const timeoutPromise = new Promise<never>((_, reject) => {
@@ -55,7 +111,8 @@ export async function telegramBotApi(
       }),
       timeoutPromise,
     ]);
-    const payload = (await Promise.race([response.json(), timeoutPromise])) as JsonObject;
+    const rawPayload = await readBoundedResponseText(response, label, maxBodyBytes, timeoutPromise);
+    const payload = parseJsonPayload(rawPayload, label);
     if (!response.ok || payload.ok !== true) {
       throw new Error(
         optionalString(payload, "description") ?? `${method} failed with HTTP ${response.status}`,
diff --git a/test/scripts/telegram-bot-api.test.ts b/test/scripts/telegram-bot-api.test.ts
@@ -45,11 +45,11 @@ describe("Telegram Bot API helper", () => {
 
   it("bounds stalled Bot API response bodies", async () => {
     vi.useFakeTimers();
-    const fetchImpl = vi.fn().mockResolvedValue({
-      ok: true,
-      status: 200,
-      json: () => new Promise(() => undefined),
-    });
+    const fetchImpl = vi.fn().mockResolvedValue(
+      new Response(new ReadableStream<Uint8Array>({ start() {} }), {
+        status: 200,
+      }),
+    );
 
     const result = telegramBotApi(
       "test-token",
@@ -70,4 +70,28 @@ describe("Telegram Bot API helper", () => {
     await rejection;
     expect(fetchImpl.mock.calls[0]?.[1]?.signal.aborted).toBe(true);
   });
+
+  it("bounds oversized Bot API response bodies", async () => {
+    const fetchImpl = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ ok: true, result: {}, padding: "x".repeat(128) }), {
+        status: 200,
+      }),
+    );
+
+    await expect(
+      telegramBotApi(
+        "test-token",
+        "getMe",
+        {},
+        {
+          baseUrl: "https://telegram.test",
+          fetchImpl,
+          maxBodyBytes: 16,
+        },
+      ),
+    ).rejects.toMatchObject({
+      code: "ETOOBIG",
+      message: "Telegram Bot API getMe response body exceeded 16 bytes",
+    });
+  });
 });
