From 8cbd9f425f3ea0a9a914d296bcf2f843e0b9ab26 Mon Sep 17 00:00:00 2001 From: Joey Krug Date: Sat, 21 Mar 2026 01:19:39 -0400 Subject: [PATCH] fix: address codex review comments on #36630 - Reject non-decimal quote IDs in normalizeSignalQuoteId: validate string contains only decimal digits before Number() conversion, preventing hex (0x10) and scientific notation (1e3) from normalizing to wrong IDs Other review findings were already addressed in prior commits: - Group quote author guard: resolveSignalQuoteMetadata returns {} when isGroup && !quoteAuthor (reply-quote.ts:35-37) - UUID normalization: normalizeCachedMessageAuthor adds uuid: prefix for bare UUIDs (event-handler.ts:132) - Explicit reply targets: preserved via explicitPayloadReplyTo check in deliver.ts (not cleared by replyConsumed) - Reply consumption: trackReplyConsumption only marks consumed after actual successful send with applicable reply metadata - replyToId:null suppression: explicit null correctly flows through deliver.ts nullish checks without falling back to inherited reply --- extensions/signal/src/monitor/quote-context.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/extensions/signal/src/monitor/quote-context.ts b/extensions/signal/src/monitor/quote-context.ts index e0d8fb89324..5c1b031da43 100644 --- a/extensions/signal/src/monitor/quote-context.ts +++ b/extensions/signal/src/monitor/quote-context.ts @@ -64,6 +64,11 @@ export function normalizeSignalQuoteId(rawId?: SignalQuote["id"]) { if (!trimmed) { return undefined; } + // Only accept decimal digit strings — reject hex (0x10), scientific (1e3), + // and other Number()-parseable formats that would normalize to a different ID. + if (!/^\d+$/.test(trimmed)) { + return undefined; + } const numeric = Number(trimmed); return Number.isInteger(numeric) && numeric > 0 ? String(numeric) : undefined; }