Greptile Summary

Added DISCORD_MEDIA_SSRF_POLICY to allow Discord CDN downloads when running behind Clash TUN mode (fake-ip enabled). The policy trusts cdn.discordapp.com and media.discordapp.net, and allows the RFC 2544 benchmark IP range (198.18.0.0/15) used by Clash fake-ip.

• Applied the policy to both attachment and sticker downloads in fetchRemoteMedia calls
• Follows the same pattern as the existing TELEGRAM_MEDIA_SSRF_POLICY
• All 20 tests updated and passing

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is straightforward, follows an established pattern (Telegram media SSRF policy), and properly addresses the issue. The changes are minimal, well-tested, and security implications are correctly handled by scoping the allowlist to specific Discord CDN hostnames.
• No files require special attention

_{Last reviewed commit: 6442ff9}

Security review note:

Good fix direction for Discord CDN under fake-IP/TUN setups.

Evidence I checked:

• src/discord/monitor/message-utils.ts now sets:
  • allowedHostnames: ["cdn.discordapp.com", "media.discordapp.net"]
  • allowRfc2544BenchmarkRange: true
• Tests were updated to assert that policy is passed.

One security follow-up I’d like:

• Add a negative test showing non-Discord hostnames in RFC2544 ranges are still blocked (to confirm the hostname allowlist remains authoritative and this range exception does not widen trust accidentally).

CI failures currently look baseline-related (protocol drift + shared Windows loader test), not obviously from this diff.

Superseded by #33275: #33275

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.