Bump version to 3.13.5

.docker/Dockerfile.rhel

@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
-ENV RC_VERSION 3.13.4
+ENV RC_VERSION 3.13.5
 
 MAINTAINER buildmaster@rocket.chat
 

.github/history-manual.json

@@ -97,5 +97,12 @@
 			"KevLehman",
 			"g-thome"
 		]
+	}],
+	"3.13.5": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "ggazzo",
+		"contributors": [
+			"ggazzo"
+		]
 	}]
 }

.github/history.json

@@ -58363,6 +58363,38 @@
           ]
         }
       ]
+    },
+    "3.12.6": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.23.0",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.13.5": {
+      "node_version": "12.21.0",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.24.1",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "22172",
+          "title": "[FIX] Discussion names showing a random value",
+          "userLogin": "sampaiodiego",
+          "milestone": "3.14.4",
+          "contributors": [
+            "sampaiodiego"
+          ]
+        }
+      ]
     }
   }
 }

.snapcraft/resources/prepareRocketChat

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-curl -SLf "https://releases.rocket.chat/3.13.4/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/3.13.5/download/" -o rocket.chat.tgz
 
 tar xf rocket.chat.tgz --strip 1
 

.snapcraft/snap/snapcraft.yaml

@@ -7,7 +7,7 @@
 # 5.  `snapcraft snap`
 
 name: rocketchat-server
-version: 3.13.4
+version: 3.13.5
 summary: Rocket.Chat server
 description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
 confinement: strict

HISTORY.md

@@ -1,4 +1,25 @@
 
+# 3.13.5
+`2021-05-27  ·  2 🐛  ·  2 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.21.0`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.24.1`
+
+### 🐛 Bug fixes
+
+
+- Discussion names showing a random value ([#22172](https://github.com/RocketChat/Rocket.Chat/pull/22172))
+
+- Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@ggazzo](https://github.com/ggazzo)
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
 # 3.13.4
 `2021-05-25  ·  1 🐛  ·  1 🔍  ·  4 👩‍💻👨‍💻`
 

app/markdown/lib/parser/original/code.js

@@ -2,29 +2,21 @@
  * code() is a named function that will parse `inline code` and ```codeblock``` syntaxes
  * @param {Object} message - The message object
  */
-import { Random } from 'meteor/random';
 
 import { unescapeHTML } from '../../../../../lib/unescapeHTML';
 import hljs from '../../hljs';
+import { addAsToken } from './token';
 
 const inlinecode = (message) => {
 	// Support `text`
 	message.html = message.html.replace(/\`([^`\r\n]+)\`([<_*~]|\B|\b|$)/gm, (match, p1, p2) => {
-		const token = `=!=${ Random.id() }=!=`;
-
-		message.tokens.push({
-			token,
-			text: `<span class=\"copyonly\">\`</span><span><code class=\"code-colors inline\">${ p1 }</code></span><span class=\"copyonly\">\`</span>${ p2 }`,
-			noHtml: match,
-		});
-
-		return token;
+		return addAsToken(message, `<span class=\"copyonly\">\`</span><span><code class=\"code-colors inline\">${ p1 }</code></span><span class=\"copyonly\">\`</span>${ p2 }`, 'inlinecode', { noHtml: match });
 	});
 };
 
 const codeblocks = (message) => {
 	// Count occurencies of ```
-	const count = (message.html.match(/```/g) || []).length;
+	const count = (message.html.match(/```/gm) || []).length;
 
 	if (count) {
 		// Check if we need to add a final ```
@@ -49,14 +41,14 @@ const codeblocks = (message) => {
 				const code = singleLine ? unescapeHTML(codeMatch[1]) : emptyLanguage;
 
 				const result = lang === '' ? hljs.highlightAuto(lang + code) : hljs.highlight(lang, code);
-				const token = `=!=${ Random.id() }=!=`;
-
-				message.tokens.push({
-					highlight: true,
-					token,
-					text: `<pre><code class='code-colors hljs ${ result.language }'><span class='copyonly'>\`\`\`<br></span>${ result.value }<span class='copyonly'><br>\`\`\`</span></code></pre>`,
-					noHtml: codeMatch[0],
-				});
+				const token = addAsToken(
+					message,
+					`<pre><code class='code-colors hljs ${ result.language }'><span class='copyonly'>\`\`\`<br></span>${ result.value }<span class='copyonly'><br>\`\`\`</span></code></pre>`,
+					'code',
+					{
+						noHtml: codeMatch[0],
+						highlight: true,
+					});
 
 				msgParts[index] = token;
 			} else {
@@ -71,10 +63,6 @@ const codeblocks = (message) => {
 
 export const code = (message) => {
 	if (message.html?.trim()) {
-		if (!message.tokens) {
-			message.tokens = [];
-		}
-
 		codeblocks(message);
 		inlinecode(message);
 	}

app/markdown/lib/parser/original/markdown.js

@@ -1,18 +1,4 @@
-/*
- * Markdown is a named function that will parse markdown syntax
- * @param {String} msg - The message html
- */
-import { Random } from 'meteor/random';
-
-const addAsToken = (message, html) => {
-	const token = `=!=${ Random.id() }=!=`;
-	message.tokens.push({
-		token,
-		text: html,
-	});
-
-	return token;
-};
+import { addAsToken, isToken, validateAllowedTokens } from './token';
 
 const validateUrl = (url, message) => {
 	// Don't render markdown inside links
@@ -89,33 +75,42 @@ const parseNotEscaped = (message, {
 		if (!validateUrl(url, message)) {
 			return match;
 		}
+		if (isToken(title) && !validateAllowedTokens(message, title, ['bold', 'italic', 'strike'])) {
+			return match;
+		}
 		url = encodeURI(url);
 
 		const target = url.indexOf(rootUrl) === 0 ? '' : '_blank';
-		return addAsToken(message, `<a href="${ url }" title="${ title }" target="${ target }" rel="noopener noreferrer"><div class="inline-image" style="background-image: url(${ url });"></div></a>`);
+		return addAsToken(message, `<a href="${ url }" title="${ title }" target="${ target }" rel="noopener noreferrer"><div class="inline-image" style="background-image: url(${ url });"></div></a>`, 'link');
 	});
 
 	// Support [Text](http://link)
 	msg = msg.replace(new RegExp(`\\[([^\\]]+)\\]\\(((?:${ schemes }):\\/\\/[^\\s]+)\\)`, 'gm'), (match, title, url) => {
 		if (!validateUrl(url, message)) {
 			return match;
 		}
+		if (isToken(title) && !validateAllowedTokens(message, title, ['bold', 'italic', 'strike'])) {
+			return match;
+		}
 		const target = url.indexOf(rootUrl) === 0 ? '' : '_blank';
 		title = title.replace(/&amp;/g, '&');
 
 		const escapedUrl = encodeURI(url);
 
-		return addAsToken(message, `<a href="${ escapedUrl }" target="${ target }" rel="noopener noreferrer">${ title }</a>`);
+		return addAsToken(message, `<a href="${ escapedUrl }" target="${ target }" rel="noopener noreferrer">${ title }</a>`, 'link');
 	});
 
 	// Support <http://link|Text>
 	msg = msg.replace(new RegExp(`(?:<|&lt;)((?:${ schemes }):\\\/\\\/[^\\|]+)\\|(.+?)(?=>|&gt;)(?:>|&gt;)`, 'gm'), (match, url, title) => {
 		if (!validateUrl(url, message)) {
 			return match;
 		}
+		if (isToken(title) && !validateAllowedTokens(message, title, ['bold', 'italic', 'strike'])) {
+			return match;
+		}
 		url = encodeURI(url);
 		const target = url.indexOf(rootUrl) === 0 ? '' : '_blank';
-		return addAsToken(message, `<a href="${ url }" target="${ target }" rel="noopener noreferrer">${ title }</a>`);
+		return addAsToken(message, `<a href="${ url }" target="${ target }" rel="noopener noreferrer">${ title }</a>`, 'link');
 	});
 	return msg;
 };

app/markdown/lib/parser/original/token.ts

@@ -0,0 +1,49 @@
+/*
+ * Markdown is a named function that will parse markdown syntax
+ * @param {String} msg - The message html
+ */
+import { Random } from 'meteor/random';
+
+import { IMessage } from '../../../../../definition/IMessage';
+
+type TokenType = 'code'| 'inlinecode' | 'bold' | 'italic' | 'strike' | 'link';
+type Token = {
+	token: string;
+	type: TokenType;
+	text: string;
+	noHtml?: string;
+} & TokenExtra;
+
+type TokenExtra = {
+	highlight?: boolean;
+	noHtml?: string;
+}
+
+export const addAsToken = (message: IMessage & { tokens: Token[] }, html: string, type: TokenType, extra?: TokenExtra): string => {
+	if (!message.tokens) {
+		message.tokens = [];
+	}
+	const token = `=!=${ Random.id() }=!=`;
+	message.tokens.push({
+		token,
+		type,
+		text: html,
+		...extra && { ...extra },
+	});
+
+	return token;
+};
+
+export const isToken = (msg: string): boolean => /=!=[.a-z0-9]{17}=!=/igm.test(msg.trim());
+
+export const validateAllowedTokens = (message: IMessage & { tokens: Token[] }, id: string, desiredTokens: TokenType[]): boolean => {
+	const tokens = id.match(/=!=[.a-z0-9]{17}=!=/igm) || [];
+	const tokensFound = message.tokens.filter(({ token }) => tokens.includes(token));
+	return tokensFound.length === 0 || tokensFound.every((token) => desiredTokens.includes(token.type));
+};
+
+export const validateForbiddenTokens = (message: IMessage & { tokens: Token[] }, id: string, desiredTokens: TokenType[]): boolean => {
+	const tokens = id.match(/=!=[.a-z0-9]{17}=!=/igm) || [];
+	const tokensFound = message.tokens.filter(({ token }) => tokens.includes(token));
+	return tokensFound.length === 0 || !tokensFound.some((token) => desiredTokens.includes(token.type));
+};

app/markdown/tests/client.mocks.js

@@ -55,7 +55,7 @@ mock('../../callbacks', {
 mock('meteor/random', {
 	Random: {
 		id() {
-			return Math.random();
+			return Math.random().toString().replace('0.', 'A');
 		},
 	},
 });

app/utils/rocketchat.info

@@ -1,3 +1,3 @@
 {
-	"version": "3.13.4"
+	"version": "3.13.5"
 }

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "Rocket.Chat",
 	"description": "The Ultimate Open Source WebChat Platform",
-	"version": "3.13.4",
+	"version": "3.13.5",
 	"author": {
 		"name": "Rocket.Chat",
 		"url": "https://rocket.chat/"