Release 3.11.6

.docker/Dockerfile.rhel

@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
-ENV RC_VERSION 3.11.1
+ENV RC_VERSION 3.11.6
 
 MAINTAINER [email protected]
 

.github/history-manual.json

@@ -56,5 +56,37 @@
 		"contributors": [
 			"sampaiodiego"
 		]
+	}],
+	"3.11.2": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego"
+		]
+	}],
+	"3.11.3": [{
+		"title": "[FIX] Bump Livechat widget",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego"
+		]
+	}, {
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego",
+			"g-thome",
+			"KevLehman",
+			"matheusbsilva137"
+		]
+	}],
+	"3.11.4": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego",
+			"KevLehman",
+			"renatobecker"
+		]
 	}]
 }

.github/history.json

@@ -55308,6 +55308,152 @@
           ]
         }
       ]
+    },
+    "3.11.2": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.22.2",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "20727",
+          "title": "[FIX] Room owner not being able to override global retention policy",
+          "userLogin": "g-thome",
+          "description": "use correct permissions to check if room owner can override global retention policy",
+          "milestone": "3.11.2",
+          "contributors": [
+            "g-thome"
+          ]
+        },
+        {
+          "pr": "20860",
+          "title": "[FIX] Prevent Message Attachment rendering",
+          "userLogin": "ggazzo",
+          "milestone": "3.11.2",
+          "contributors": [
+            "ggazzo"
+          ]
+        },
+        {
+          "pr": "20740",
+          "title": "[FIX] External systems not being able to change Omnichannel Inquiry priorities ",
+          "userLogin": "renatobecker",
+          "description": "Due to a wrong property name, external applications were not able to change the priority of Omnichannel Inquires.",
+          "milestone": "3.11.2",
+          "contributors": [
+            "renatobecker"
+          ]
+        }
+      ]
+    },
+    "3.10.6": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.21.0-alpha.4235",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.11.3": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.22.2",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.8.9": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.19.0",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.10.7": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.21.0-alpha.4235",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.11.4": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.22.2",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.11.5": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.22.2",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "21644",
+          "title": "[FIX] Livechat not retrieving messages",
+          "userLogin": "cuonghuunguyen",
+          "milestone": "3.13.3",
+          "contributors": [
+            "cuonghuunguyen"
+          ]
+        }
+      ]
+    },
+    "3.11.6": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.22.2",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "22927",
+          "title": "[FIX] User presence being processes even if presence monitor was disabled",
+          "userLogin": "sampaiodiego",
+          "contributors": [
+            "sampaiodiego"
+          ]
+        },
+        {
+          "pr": "22257",
+          "title": "[FIX] Support DISABLE_PRESENCE_MONITOR env var in new DB watchers",
+          "userLogin": "sampaiodiego",
+          "milestone": "3.14.5",
+          "contributors": [
+            "sampaiodiego"
+          ]
+        }
+      ]
     }
   }
 }

.github/workflows/build_and_test.yml

@@ -381,6 +381,7 @@ jobs:
       env:
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        AWS_DEFAULT_REGION: 'us-east-1'
         GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
         REDHAT_REGISTRY_PID: ${{ secrets.REDHAT_REGISTRY_PID }}
         REDHAT_REGISTRY_KEY: ${{ secrets.REDHAT_REGISTRY_KEY }}

.snapcraft/resources/prepareRocketChat

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-curl -SLf "https://releases.rocket.chat/3.11.1/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/3.11.6/download/" -o rocket.chat.tgz
 
 tar xf rocket.chat.tgz --strip 1
 

.snapcraft/snap/snapcraft.yaml

@@ -7,7 +7,7 @@
 # 5.  `snapcraft snap`
 
 name: rocketchat-server
-version: 3.11.1
+version: 3.11.6
 summary: Rocket.Chat server
 description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
 confinement: strict

HISTORY.md

@@ -1,4 +1,116 @@
 
+# 3.11.6
+`2022-08-22  ·  2 🐛  ·  1 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.18.4`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.22.2`
+
+### 🐛 Bug fixes
+
+
+- Support DISABLE_PRESENCE_MONITOR env var in new DB watchers ([#22257](https://github.com/RocketChat/Rocket.Chat/pull/22257))
+
+- User presence being processes even if presence monitor was disabled ([#22927](https://github.com/RocketChat/Rocket.Chat/pull/22927))
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
+# 3.11.5
+`2021-04-20  ·  1 🐛  ·  1 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.18.4`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.22.2`
+
+### 🐛 Bug fixes
+
+
+- Livechat not retrieving messages ([#21644](https://github.com/RocketChat/Rocket.Chat/pull/21644) by [@cuonghuunguyen](https://github.com/cuonghuunguyen))
+
+### 👩‍💻👨‍💻 Contributors 😍
+
+- [@cuonghuunguyen](https://github.com/cuonghuunguyen)
+
+# 3.11.4
+`2021-04-14  ·  1 🐛  ·  3 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.18.4`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.22.2`
+
+### 🐛 Bug fixes
+
+
+- Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@KevLehman](https://github.com/KevLehman)
+- [@renatobecker](https://github.com/renatobecker)
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
+# 3.11.3
+`2021-03-26  ·  2 🐛  ·  4 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.18.4`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.22.2`
+
+### 🐛 Bug fixes
+
+
+- Bump Livechat widget
+
+- Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@KevLehman](https://github.com/KevLehman)
+- [@g-thome](https://github.com/g-thome)
+- [@matheusbsilva137](https://github.com/matheusbsilva137)
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
+# 3.11.2
+`2021-02-28  ·  4 🐛  ·  4 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.18.4`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.22.2`
+
+### 🐛 Bug fixes
+
+
+- External systems not being able to change Omnichannel Inquiry priorities  ([#20740](https://github.com/RocketChat/Rocket.Chat/pull/20740))
+
+  Due to a wrong property name, external applications were not able to change the priority of Omnichannel Inquires.
+
+- Prevent Message Attachment rendering ([#20860](https://github.com/RocketChat/Rocket.Chat/pull/20860))
+
+- Room owner not being able to override global retention policy ([#20727](https://github.com/RocketChat/Rocket.Chat/pull/20727))
+
+  use correct permissions to check if room owner can override global retention policy
+
+- Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@g-thome](https://github.com/g-thome)
+- [@ggazzo](https://github.com/ggazzo)
+- [@renatobecker](https://github.com/renatobecker)
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
 # 3.11.1
 `2021-02-10  ·  5 🐛  ·  6 👩‍💻👨‍💻`
 

app/api/server/helpers/parseJsonQuery.js

@@ -2,8 +2,14 @@ import { Meteor } from 'meteor/meteor';
 import { EJSON } from 'meteor/ejson';
 
 import { hasPermission } from '../../../authorization';
+import { clean } from '../lib/cleanQuery';
 import { API } from '../api';
 
+const pathAllowConf = {
+	'/api/v1/users.list': ['$or', '$regex', '$and'],
+	def: ['$or', '$and', '$regex'],
+};
+
 API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
 	let sort;
 	if (this.queryParams.sort) {
@@ -54,6 +60,7 @@ API.helperMethods.set('parseJsonQuery', function _parseJsonQuery() {
 	if (this.queryParams.query) {
 		try {
 			query = EJSON.parse(this.queryParams.query);
+			query = clean(query, pathAllowConf[this.request.route] || pathAllowConf.def);
 		} catch (e) {
 			this.logger.warn(`Invalid query parameter provided "${ this.queryParams.query }":`, e);
 			throw new Meteor.Error('error-invalid-query', `Invalid query parameter provided: "${ this.queryParams.query }"`, { helperMethod: 'parseJsonQuery' });

app/api/server/lib/cleanQuery.ts

@@ -0,0 +1,29 @@
+type Query = { [k: string]: any };
+
+const denyList = ['constructor', '__proto__', 'prototype'];
+
+const removeDangerousProps = (v: Query): Query => {
+	const query = Object.create(null);
+	for (const key in v) {
+		if (v.hasOwnProperty(key) && !denyList.includes(key)) {
+			query[key] = v[key];
+		}
+	}
+
+	return query;
+};
+
+export function clean(v: Query, allowList: string[] = []): Query {
+	const typedParam = removeDangerousProps(v);
+	if (v instanceof Object) {
+		/* eslint-disable guard-for-in */
+		for (const key in typedParam) {
+			if (/^$/.test(key) && !allowList.includes(key)) {
+				delete typedParam[key];
+			} else {
+				clean(typedParam[key], allowList);
+			}
+		}
+	}
+	return typedParam;
+}