Merge remote-tracking branch 'origin/master' into release-6.12.0

RocketChat · Aug 23, 2024 · 95ec3b3 · 95ec3b3
2 parents 9f6883e + 12e000d
commit 95ec3b3
Show file tree

Hide file tree

Showing 71 changed files with 956 additions and 80 deletions.
diff --git a/apps/meteor/CHANGELOG.md b/apps/meteor/CHANGELOG.md
@@ -110,6 +110,41 @@
   - @rocket.chat/instance-status@0.1.4-rc.0
   - @rocket.chat/server-cloud-communication@0.0.2
   </details>
+## 6.11.1
+
+### Patch Changes
+
+- Bump @rocket.chat/meteor version.
+
+- Bump @rocket.chat/meteor version.
+
+- ([#33062](https://github.com/RocketChat/Rocket.Chat/pull/33062)) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
+
+- <details><summary>Updated dependencies []:</summary>
+
+  - @rocket.chat/core-typings@6.11.1
+  - @rocket.chat/rest-typings@6.11.1
+  - @rocket.chat/api-client@0.2.4
+  - @rocket.chat/license@0.2.4
+  - @rocket.chat/omnichannel-services@0.3.1
+  - @rocket.chat/pdf-worker@0.2.1
+  - @rocket.chat/presence@0.2.4
+  - @rocket.chat/apps@0.1.4
+  - @rocket.chat/core-services@0.5.1
+  - @rocket.chat/cron@0.1.4
+  - @rocket.chat/fuselage-ui-kit@9.0.1
+  - @rocket.chat/gazzodown@9.0.1
+  - @rocket.chat/model-typings@0.6.1
+  - @rocket.chat/ui-contexts@9.0.1
+  - @rocket.chat/server-cloud-communication@0.0.2
+  - @rocket.chat/models@0.2.1
+  - @rocket.chat/ui-theming@0.2.0
+  - @rocket.chat/ui-avatar@5.0.1
+  - @rocket.chat/ui-client@9.0.1
+  - @rocket.chat/ui-video-conf@9.0.1
+  - @rocket.chat/web-ui-registration@9.0.1
+  - @rocket.chat/instance-status@0.1.4
+  </details>
 
 ## 6.11.0
 

diff --git a/apps/meteor/app/api/server/v1/rooms.ts b/apps/meteor/app/api/server/v1/rooms.ts
@@ -8,6 +8,7 @@ import {
 	isRoomsMuteUnmuteUserProps,
 	isRoomsExportProps,
 	isRoomsIsMemberProps,
+	isRoomsCleanHistoryProps,
 } from '@rocket.chat/rest-typings';
 import { Meteor } from 'meteor/meteor';
 
@@ -361,7 +362,7 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'rooms.cleanHistory',
-	{ authRequired: true },
+	{ authRequired: true, validateParams: isRoomsCleanHistoryProps },
 	{
 		async post() {
 			const { _id } = await findRoomByIdOrName({ params: this.bodyParams });

diff --git a/apps/meteor/app/api/server/v1/users.ts b/apps/meteor/app/api/server/v1/users.ts
@@ -755,6 +755,12 @@ API.v1.addRoute(
 	{ authRequired: false },
 	{
 		async post() {
+			const isPasswordResetEnabled = settings.get('Accounts_PasswordReset');
+
+			if (!isPasswordResetEnabled) {
+				return API.v1.failure('Password reset is not enabled');
+			}
+
 			const { email } = this.bodyParams;
 			if (!email) {
 				return API.v1.failure("The 'email' param is required");

diff --git a/apps/meteor/app/livechat/imports/server/rest/sms.ts b/apps/meteor/app/livechat/imports/server/rest/sms.ts
@@ -97,12 +97,18 @@ const normalizeLocationSharing = (payload: ServiceData) => {
 // @ts-expect-error - this is an special endpoint that requires the return to not be wrapped as regular returns
 API.v1.addRoute('livechat/sms-incoming/:service', {
 	async post() {
-		if (!(await OmnichannelIntegration.isConfiguredSmsService(this.urlParams.service))) {
+		const { service } = this.urlParams;
+		if (!(await OmnichannelIntegration.isConfiguredSmsService(service))) {
 			return API.v1.failure('Invalid service');
 		}
 
 		const smsDepartment = settings.get<string>('SMS_Default_Omnichannel_Department');
-		const SMSService = await OmnichannelIntegration.getSmsService(this.urlParams.service);
+		const SMSService = await OmnichannelIntegration.getSmsService(service);
+
+		if (!SMSService.validateRequest(this.request)) {
+			return API.v1.failure('Invalid request');
+		}
+
 		const sms = SMSService.parse(this.bodyParams);
 		const { department } = this.queryParams;
 		let targetDepartment = await defineDepartment(department || smsDepartment);
@@ -121,7 +127,7 @@ API.v1.addRoute('livechat/sms-incoming/:service', {
 			},
 			source: {
 				type: OmnichannelSourceType.SMS,
-				alias: this.urlParams.service,
+				alias: service,
 			},
 		};
 

diff --git a/apps/meteor/client/views/admin/oauthApps/EditOauthApp.tsx b/apps/meteor/client/views/admin/oauthApps/EditOauthApp.tsx
@@ -8,6 +8,7 @@ import {
 	FieldRow,
 	FieldError,
 	FieldHint,
+	PasswordInput,
 	TextAreaInput,
 	ToggleSwitch,
 	FieldGroup,
@@ -136,7 +137,7 @@ const EditOauthApp = ({ onChange, data, ...props }: EditOauthAppProps): ReactEle
 				<Field>
 					<FieldLabel>{t('Client_Secret')}</FieldLabel>
 					<FieldRow>
-						<TextInput value={data.clientSecret} />
+						<PasswordInput value={data.clientSecret} />
 					</FieldRow>
 				</Field>
 				<Field>

diff --git a/apps/meteor/ee/server/lib/audit/methods.ts b/apps/meteor/ee/server/lib/audit/methods.ts
@@ -88,11 +88,18 @@ Meteor.methods<ServerMethods>({
 		check(startDate, Date);
 		check(endDate, Date);
 
-		const user = await Meteor.userAsync();
+		const user = (await Meteor.userAsync()) as IUser;
 		if (!user || !(await hasPermissionAsync(user._id, 'can-audit'))) {
 			throw new Meteor.Error('Not allowed');
 		}
 
+		const userFields = {
+			_id: user._id,
+			username: user.username,
+			...(user.name && { name: user.name }),
+			...(user.avatarETag && { avatarETag: user.avatarETag }),
+		};
+
 		const rooms: IRoom[] = await LivechatRooms.findByVisitorIdAndAgentId(visitor, agent, {
 			projection: { _id: 1 },
 		}).toArray();
@@ -118,7 +125,7 @@ Meteor.methods<ServerMethods>({
 		await AuditLog.insertOne({
 			ts: new Date(),
 			results: messages.length,
-			u: user,
+			u: userFields,
 			fields: { msg, users: usernames, rids, room: name, startDate, endDate, type, visitor, agent },
 		});
 
@@ -128,11 +135,18 @@ Meteor.methods<ServerMethods>({
 		check(startDate, Date);
 		check(endDate, Date);
 
-		const user = await Meteor.userAsync();
+		const user = (await Meteor.userAsync()) as IUser;
 		if (!user || !(await hasPermissionAsync(user._id, 'can-audit'))) {
 			throw new Meteor.Error('Not allowed');
 		}
 
+		const userFields = {
+			_id: user._id,
+			username: user.username,
+			...(user.name && { name: user.name }),
+			...(user.avatarETag && { avatarETag: user.avatarETag }),
+		};
+
 		let rids;
 		let name;
 
@@ -169,9 +183,10 @@ Meteor.methods<ServerMethods>({
 		await AuditLog.insertOne({
 			ts: new Date(),
 			results: messages.length,
-			u: user,
+			u: userFields,
 			fields: { msg, users: usernames, rids, room: name, startDate, endDate, type, visitor, agent },
 		});
+
 		updateCounter({ settingsId: 'Message_Auditing_Panel_Load_Count' });
 
 		return messages;
@@ -183,13 +198,24 @@ Meteor.methods<ServerMethods>({
 		if (!uid || !(await hasPermissionAsync(uid, 'can-audit-log'))) {
 			throw new Meteor.Error('Not allowed');
 		}
-		return AuditLog.find({
-			// 'u._id': userId,
-			ts: {
-				$gt: startDate,
-				$lt: endDate,
+		return AuditLog.find(
+			{
+				// 'u._id': userId,
+				ts: {
+					$gt: startDate,
+					$lt: endDate,
+				},
 			},
-		}).toArray();
+			{
+				projection: {
+					'u.services': 0,
+					'u.roles': 0,
+					'u.lastLogin': 0,
+					'u.statusConnection': 0,
+					'u.emails': 0,
+				},
+			},
+		).toArray();
 	},
 });
 

diff --git a/apps/meteor/ee/server/services/CHANGELOG.md b/apps/meteor/ee/server/services/CHANGELOG.md
@@ -13,6 +13,18 @@
   - @rocket.chat/core-services@0.6.0-rc.0
   - @rocket.chat/models@0.2.1-rc.0
   </details>
+## 1.3.1
+
+### Patch Changes
+
+- <details><summary>Updated dependencies []:</summary>
+
+  - @rocket.chat/core-typings@6.11.1
+  - @rocket.chat/rest-typings@6.11.1
+  - @rocket.chat/core-services@0.5.1
+  - @rocket.chat/model-typings@0.6.1
+  - @rocket.chat/models@0.2.1
+  </details>
 
 ## 1.3.0
 

diff --git a/apps/meteor/ee/server/services/package.json b/apps/meteor/ee/server/services/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "rocketchat-services",
 	"private": true,
-	"version": "1.3.1-rc.0",
+	"version": "1.3.2-rc.0",
 	"description": "Rocket.Chat Authorization service",
 	"main": "index.js",
 	"scripts": {

diff --git a/apps/meteor/server/lib/ldap/Manager.ts b/apps/meteor/server/lib/ldap/Manager.ts
@@ -165,7 +165,7 @@ export class LDAPManager {
 
 		const { attribute: idAttribute, value: id } = uniqueId;
 		const username = this.slugifyUsername(ldapUser, usedUsername || id || '') || undefined;
-		const emails = this.getLdapEmails(ldapUser, username);
+		const emails = this.getLdapEmails(ldapUser, username).map((email) => email.trim());
 		const name = this.getLdapName(ldapUser) || undefined;
 
 		const userData: IImportUser = {

diff --git a/apps/meteor/server/methods/reportMessage.ts b/apps/meteor/server/methods/reportMessage.ts
@@ -3,6 +3,7 @@ import type { IMessage } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { ModerationReports, Rooms, Users, Messages } from '@rocket.chat/models';
 import { check } from 'meteor/check';
+import { DDPRateLimiter } from 'meteor/ddp-rate-limiter';
 import { Meteor } from 'meteor/meteor';
 
 import { canAccessRoomAsync } from '../../app/authorization/server/functions/canAccessRoom';
@@ -82,3 +83,15 @@ Meteor.methods<ServerMethods>({
 		return true;
 	},
 });
+
+DDPRateLimiter.addRule(
+	{
+		type: 'method',
+		name: 'reportMessage',
+		userId() {
+			return true;
+		},
+	},
+	5,
+	60000,
+);
diff --git a/apps/meteor/server/methods/sendConfirmationEmail.ts b/apps/meteor/server/methods/sendConfirmationEmail.ts
@@ -2,6 +2,7 @@ import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { Users } from '@rocket.chat/models';
 import { Accounts } from 'meteor/accounts-base';
 import { check } from 'meteor/check';
+import { DDPRateLimiter } from 'meteor/ddp-rate-limiter';
 import { Meteor } from 'meteor/meteor';
 
 import { methodDeprecationLogger } from '../../app/lib/server/lib/deprecationWarningLogger';
@@ -31,3 +32,15 @@ Meteor.methods<ServerMethods>({
 		}
 	},
 });
+
+DDPRateLimiter.addRule(
+	{
+		type: 'method',
+		name: 'sendConfirmationEmail',
+		userId() {
+			return true;
+		},
+	},
+	5,
+	60000,
+);
diff --git a/apps/meteor/server/services/omnichannel-integrations/providers/mobex.ts b/apps/meteor/server/services/omnichannel-integrations/providers/mobex.ts
@@ -1,6 +1,7 @@
 import { Base64 } from '@rocket.chat/base64';
 import type { ISMSProvider, ServiceData, SMSProviderResult, SMSProviderResponse } from '@rocket.chat/core-typings';
 import { serverFetch as fetch } from '@rocket.chat/server-fetch';
+import type { Request } from 'express';
 
 import { settings } from '../../../../app/settings/server';
 import { SystemLogger } from '../../../lib/logger/system';
@@ -196,6 +197,10 @@ export class Mobex implements ISMSProvider {
 		};
 	}
 
+	validateRequest(_request: Request): boolean {
+		return true;
+	}
+
 	error(error: Error & { reason?: string }): SMSProviderResponse {
 		let message = '';
 		if (error.reason) {

diff --git a/apps/meteor/server/services/omnichannel-integrations/providers/twilio.ts b/apps/meteor/server/services/omnichannel-integrations/providers/twilio.ts
@@ -1,6 +1,7 @@
 import { api } from '@rocket.chat/core-services';
 import type { ISMSProvider, ServiceData, SMSProviderResponse, SMSProviderResult } from '@rocket.chat/core-typings';
 import { Users } from '@rocket.chat/models';
+import type { Request } from 'express';
 import filesize from 'filesize';
 import twilio from 'twilio';
 
@@ -244,6 +245,31 @@ export class Twilio implements ISMSProvider {
 		};
 	}
 
+	isRequestFromTwilio(signature: string, requestBody: object): boolean {
+		const authToken = settings.get<string>('SMS_Twilio_authToken');
+		const siteUrl = settings.get<string>('Site_Url');
+
+		if (!authToken || !siteUrl) {
+			SystemLogger.error(`(Twilio) -> URL or Twilio token not configured.`);
+			return false;
+		}
+
+		const twilioUrl = siteUrl.endsWith('/')
+			? `${siteUrl}api/v1/livechat/sms-incoming/twilio`
+			: `${siteUrl}/api/v1/livechat/sms-incoming/twilio`;
+		return twilio.validateRequest(authToken, signature, twilioUrl, requestBody);
+	}
+
+	validateRequest(request: Request): boolean {
+		// We're not getting original twilio requests on CI :p
+		if (process.env.TEST_MODE === 'true') {
+			return true;
+		}
+		const twilioHeader = request.headers['x-twilio-signature'] || '';
+		const twilioSignature = Array.isArray(twilioHeader) ? twilioHeader[0] : twilioHeader;
+		return this.isRequestFromTwilio(twilioSignature, request.body);
+	}
+
 	error(error: Error & { reason?: string }): SMSProviderResponse {
 		let message = '';
 		if (error.reason) {

diff --git a/apps/meteor/server/services/omnichannel-integrations/providers/voxtelesys.ts b/apps/meteor/server/services/omnichannel-integrations/providers/voxtelesys.ts
@@ -2,6 +2,7 @@ import { api } from '@rocket.chat/core-services';
 import type { ISMSProvider, ServiceData, SMSProviderResponse } from '@rocket.chat/core-typings';
 import { Users } from '@rocket.chat/models';
 import { serverFetch as fetch } from '@rocket.chat/server-fetch';
+import type { Request } from 'express';
 import filesize from 'filesize';
 
 import { settings } from '../../../../app/settings/server';
@@ -162,6 +163,10 @@ export class Voxtelesys implements ISMSProvider {
 		};
 	}
 
+	validateRequest(_request: Request): boolean {
+		return true;
+	}
+
 	error(error: Error & { reason?: string }): SMSProviderResponse {
 		let message = '';
 		if (error.reason) {

diff --git a/apps/meteor/server/settings/message.ts b/apps/meteor/server/settings/message.ts
@@ -32,7 +32,7 @@ export const createMessageSettings = () =>
 				],
 			});
 
-			await this.add('Message_Attachments_Strip_Exif', false, {
+			await this.add('Message_Attachments_Strip_Exif', true, {
 				type: 'boolean',
 				public: true,
 				i18nDescription: 'Message_Attachments_Strip_ExifDescription',