fix(msteams): handle invalid JSON escape sequences in Bot Framework activities

hddevteam · hddevteam · commit 5b2a2fb988bd · 2026-03-04T23:09:21.000+08:00
Some Bot Framework clients (e.g. certain MS Teams clients) send activity
payloads that contain invalid JSON escape sequences such as bare backslashes
followed by characters not defined in RFC 8259 (e.g. \p, \q, \c).

The previous `express.json()` middleware uses body-parser's strict JSON
parser which throws `SyntaxError: Bad escaped character in JSON` on such
payloads. This causes the webhook to return a non-200 response, putting
Azure Bot Service into exponential backoff and dropping subsequent messages.

This fix replaces `express.json()` with `express.raw()` (raw Buffer body),
then adds a two-pass JSON parse middleware:

1. First tries standard JSON.parse on the raw body.
2. If that fails (SyntaxError), attempts to repair the payload by
   double-escaping bare backslashes: /\\([^"\\/bfnrtu])/g → \\\\$1
3. If the repaired payload parses successfully, logs a warning and
   continues normally so the activity is processed.
4. If the payload cannot be repaired, responds with HTTP 200 to prevent
   Azure Bot Service backoff, and logs the error for investigation.

Fixes: SyntaxError: Bad escaped character in JSON at position N
Tested: conversationUpdate and message activities from MS Teams clients
diff --git a/extensions/msteams/src/monitor.ts b/extensions/msteams/src/monitor.ts
@@ -269,12 +269,49 @@ export async function monitorMSTeamsProvider(
 
   // Create Express server
   const expressApp = express.default();
-  expressApp.use(express.json({ limit: MSTEAMS_WEBHOOK_MAX_BODY_BYTES }));
+
+  // Use raw body parser so we can repair invalid JSON escape sequences that some
+  // Bot Framework clients include in activity payloads (e.g. conversationUpdate
+  // activities with bare backslashes like \p or \q that are not valid per RFC 8259).
+  // The strict express.json() parser throws SyntaxError on such payloads, which
+  // causes a non-200 response and puts Azure Bot Service into exponential backoff,
+  // dropping all subsequent messages until the backoff window expires.
+  expressApp.use(express.raw({ type: "application/json", limit: MSTEAMS_WEBHOOK_MAX_BODY_BYTES }));
+  expressApp.use((req: Request, _res: Response, next: (err?: unknown) => void) => {
+    if (Buffer.isBuffer(req.body)) {
+      const rawText = req.body.toString("utf-8");
+      try {
+        req.body = JSON.parse(rawText);
+      } catch {
+        // Attempt to repair invalid escape sequences by double-escaping bare
+        // backslashes (e.g. \p → \\p). This recovers payloads sent by certain
+        // Teams clients that violate the JSON spec.
+        const fixed = rawText.replace(/\\([^"\\/bfnrtu])/g, "\\\\$1");
+        try {
+          req.body = JSON.parse(fixed);
+          log.warn("msteams: repaired invalid JSON escape sequences in Bot Framework activity");
+        } catch (parseErr) {
+          next(parseErr);
+          return;
+        }
+      }
+    }
+    next();
+  });
   expressApp.use((err: unknown, _req: Request, res: Response, next: (err?: unknown) => void) => {
-    if (err && typeof err === "object" && "status" in err && err.status === 413) {
+    if (err && typeof err === "object" && "status" in err && (err as { status: number }).status === 413) {
       res.status(413).json({ error: "Payload too large" });
       return;
     }
+    if (err instanceof SyntaxError) {
+      // JSON could not be repaired; acknowledge with HTTP 200 to prevent Azure
+      // Bot Service from entering exponential backoff for an unrecoverable payload.
+      log.error("msteams: unrecoverable JSON parse error in Bot Framework activity", {
+        error: String(err),
+      });
+      res.status(200).end();
+      return;
+    }
     next(err);
   });
   expressApp.use(authorizeJWT(authConfig));
