-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Release 7.10.1 #36965
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 7.10.1 #36965
Changes from 5 commits
cee7038
d7da2c0
c8e778a
b0c3e6a
42cea25
5e3fd35
b3ebad4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| '@rocket.chat/meteor': patch | ||
| --- | ||
|
|
||
| Bump @rocket.chat/meteor version. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| '@rocket.chat/meteor': minor | ||
| --- | ||
|
|
||
| Fixes login using iframe authentication. | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| '@rocket.chat/meteor': patch | ||
| --- | ||
|
|
||
| Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
| '@rocket.chat/apps-engine': patch | ||
| '@rocket.chat/meteor': patch | ||
| --- | ||
|
|
||
| Changes a strict behavior on reporting slash commands provided by apps |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -811,12 +811,15 @@ export class APIClass< | |
| if (options.authRequired || options.authOrAnonRequired) { | ||
| const user = await api.authenticatedRoute.call(this, this.request); | ||
| this.user = user!; | ||
| this.userId = String(this.request.headers.get('x-user-id')); | ||
| this.userId = this.user?._id; | ||
| const authToken = this.request.headers.get('x-auth-token'); | ||
| this.token = (authToken && Accounts._hashLoginToken(String(authToken)))!; | ||
| } | ||
|
Comment on lines
811
to
817
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chainGood change: derive userId from the authenticated user Setting Run to spot any lingering server code that still trusts As a follow-up, consider eliminating // token-only lookup; avoids trusting a client-supplied user id
protected async authenticatedRoute(req: Request): Promise<IUser | null> {
const authToken = req.headers.get('x-auth-token');
if (!authToken) return null;
const hashed = Accounts._hashLoginToken(String(authToken));
return Users.findOne(
{ 'services.resume.loginTokens.hashedToken': hashed },
{ projection: getDefaultUserFields() },
);
}🏁 Script executed: #!/bin/bash
rg -nP -C2 --type=ts "(x-user-id|X-User-Id)" apps/meteor | sed 's/^/apps\/meteor\//'Length of output: 49525 Do not trust X-User-Id headers — remove/replace remaining server-side usages Good change to derive this.userId from the authenticated user (prevents header spoofing). However the repo still contains server-side code that reads/trusts X-User-Id; these must be refactored to derive the user from the token (token-only lookup) before merging. Representative locations to fix:
Action: implement token-only authenticatedRoute (or equivalent) and remove header-based authorization/readers, update middleware/helpers/CORS/docs and tests. Block merge until server-side reliance on client-supplied X-User-Id is removed or explicitly validated. 🤖 Prompt for AI Agents |
||
|
|
||
| if (!this.user && options.authRequired && !options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead')) { | ||
| const shouldPreventAnonymousRead = !this.user && options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead'); | ||
| const shouldPreventUserRead = !this.user && options.authRequired; | ||
|
|
||
| if (shouldPreventAnonymousRead || shouldPreventUserRead) { | ||
| const result = api.unauthorized('You must be logged in to do this.'); | ||
| // compatibility with the old API | ||
| // TODO: MAJOR | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,185 @@ | ||
| import type { SlashCommand } from '@rocket.chat/core-typings'; | ||
| import { mockAppRoot, type StreamControllerRef } from '@rocket.chat/mock-providers'; | ||
| import { renderHook, waitFor } from '@testing-library/react'; | ||
|
|
||
| import { useAppSlashCommands } from './useAppSlashCommands'; | ||
| import { slashCommands } from '../../app/utils/client/slashCommand'; | ||
|
|
||
| const mockSlashCommands: SlashCommand[] = [ | ||
| { | ||
| command: '/test', | ||
| description: 'Test command', | ||
| params: 'param1 param2', | ||
| clientOnly: false, | ||
| providesPreview: false, | ||
| appId: 'test-app-1', | ||
| permission: undefined, | ||
| }, | ||
| { | ||
| command: '/weather', | ||
| description: 'Get weather information', | ||
| params: 'city', | ||
| clientOnly: false, | ||
| providesPreview: true, | ||
| appId: 'weather-app', | ||
| permission: undefined, | ||
| }, | ||
| ]; | ||
|
|
||
| const mockApiResponse = { | ||
| commands: mockSlashCommands, | ||
| total: mockSlashCommands.length, | ||
| }; | ||
|
|
||
| describe('useAppSlashCommands', () => { | ||
| let mockGetSlashCommands: jest.Mock; | ||
|
|
||
| beforeEach(() => { | ||
| mockGetSlashCommands = jest.fn().mockResolvedValue(mockApiResponse); | ||
|
|
||
| slashCommands.commands = {}; | ||
| }); | ||
|
|
||
| afterEach(() => { | ||
| jest.clearAllMocks(); | ||
| }); | ||
|
|
||
| it('should not fetch data when user ID is not available', () => { | ||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot().withEndpoint('GET', '/v1/commands.list', mockGetSlashCommands).build(), | ||
| }); | ||
|
|
||
| expect(mockGetSlashCommands).not.toHaveBeenCalled(); | ||
| expect(slashCommands.commands).toEqual({}); | ||
| }); | ||
|
|
||
| it('should fetch slash commands when user ID is available', async () => { | ||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot().withEndpoint('GET', '/v1/commands.list', mockGetSlashCommands).withJohnDoe().build(), | ||
| }); | ||
|
|
||
| await waitFor(() => { | ||
| expect(Object.keys(slashCommands.commands)).toHaveLength(mockSlashCommands.length); | ||
| }); | ||
| }); | ||
|
|
||
| it('should handle command/removed event by invalidating queries', async () => { | ||
| const streamRef: StreamControllerRef<'apps'> = {}; | ||
|
|
||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot() | ||
| .withJohnDoe() | ||
| .withStream('apps', streamRef) | ||
| .withEndpoint('GET', '/v1/commands.list', mockGetSlashCommands) | ||
| .build(), | ||
| }); | ||
|
|
||
| expect(streamRef.controller).toBeDefined(); | ||
|
|
||
| await waitFor(() => { | ||
| expect(Object.keys(slashCommands.commands)).toHaveLength(mockSlashCommands.length); | ||
| }); | ||
|
|
||
| streamRef.controller?.emit('apps', [['command/removed', ['/test']]]); | ||
|
|
||
| expect(slashCommands.commands['/test']).toBeUndefined(); | ||
| expect(slashCommands.commands['/weather']).toBeDefined(); | ||
| }); | ||
|
|
||
| it('should handle command/added event by invalidating queries', async () => { | ||
| const streamRef: StreamControllerRef<'apps'> = {}; | ||
|
|
||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot() | ||
| .withJohnDoe() | ||
| .withStream('apps', streamRef) | ||
| .withEndpoint('GET', '/v1/commands.list', mockGetSlashCommands) | ||
| .build(), | ||
| }); | ||
|
|
||
| expect(streamRef.controller).toBeDefined(); | ||
|
|
||
| await waitFor(() => { | ||
| expect(Object.keys(slashCommands.commands)).toHaveLength(mockSlashCommands.length); | ||
| }); | ||
|
|
||
| mockGetSlashCommands.mockResolvedValue({ | ||
| commands: [ | ||
| ...mockSlashCommands, | ||
| { | ||
| command: '/newcommand', | ||
| description: 'New command', | ||
| params: 'param1 param2', | ||
| clientOnly: false, | ||
| }, | ||
| ], | ||
| total: mockSlashCommands.length + 1, | ||
| }); | ||
|
|
||
| streamRef.controller?.emit('apps', [['command/added', ['/newcommand']]]); | ||
|
|
||
| await waitFor(() => { | ||
| expect(slashCommands.commands['/newcommand']).toBeDefined(); | ||
| }); | ||
|
|
||
| expect(slashCommands.commands['/test']).toBeDefined(); | ||
| expect(slashCommands.commands['/weather']).toBeDefined(); | ||
| }); | ||
|
|
||
| it('should handle command/updated event by invalidating queries', async () => { | ||
| const streamRef: StreamControllerRef<'apps'> = {}; | ||
|
|
||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot() | ||
| .withJohnDoe() | ||
| .withStream('apps', streamRef) | ||
| .withEndpoint('GET', '/v1/commands.list', mockGetSlashCommands) | ||
| .build(), | ||
| }); | ||
|
|
||
| expect(streamRef.controller).toBeDefined(); | ||
|
|
||
| await waitFor(() => { | ||
| expect(Object.keys(slashCommands.commands)).toHaveLength(mockSlashCommands.length); | ||
| }); | ||
|
|
||
| streamRef.controller?.emit('apps', [['command/updated', ['/test']]]); | ||
|
|
||
| expect(slashCommands.commands['/test']).toBeUndefined(); | ||
| expect(slashCommands.commands['/weather']).toBeDefined(); | ||
| }); | ||
|
|
||
| it('should ignore command/disabled event', async () => { | ||
| const streamRef: StreamControllerRef<'apps'> = {}; | ||
|
|
||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot() | ||
| .withJohnDoe() | ||
| .withStream('apps', streamRef) | ||
| .withEndpoint('GET', '/v1/commands.list', mockGetSlashCommands) | ||
| .build(), | ||
| }); | ||
|
|
||
| expect(streamRef.controller).toBeDefined(); | ||
|
|
||
| await waitFor(() => { | ||
| expect(Object.keys(slashCommands.commands)).toHaveLength(mockSlashCommands.length); | ||
| }); | ||
|
|
||
| streamRef.controller?.emit('apps', [['command/disabled', ['/test']]]); | ||
|
|
||
| expect(slashCommands.commands['/test']).toBeDefined(); | ||
| expect(slashCommands.commands['/weather']).toBeDefined(); | ||
| }); | ||
|
|
||
| it('should not set up stream listener when user ID is not available', () => { | ||
| const streamRef: StreamControllerRef<'apps'> = {}; | ||
|
|
||
| renderHook(() => useAppSlashCommands(), { | ||
| wrapper: mockAppRoot().withStream('apps', streamRef).build(), | ||
| }); | ||
|
|
||
| expect(streamRef.controller).toBeDefined(); | ||
| expect(streamRef.controller?.has('apps')).toBe(false); | ||
| }); | ||
| }); |
Uh oh!
There was an error while loading. Please reload this page.