Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: consider query strings in Twilio request validation #33364

Merged
merged 5 commits into from
Oct 15, 2024
Merged

fix: consider query strings in Twilio request validation #33364

merged 5 commits into from
Oct 15, 2024

Conversation

julio-cfa
Copy link
Member

@julio-cfa julio-cfa commented Sep 25, 2024
edited by jira bot
Loading

Proposed changes (including videos or screenshots)

A security fix a couple of versions ago may have introduced a bug for Twilio requests containing a query string. This PR changes the Twilio request validation to take into consideration requests with query strings, adds a unit test for this specific case, and removes a duplicated test from the previous changes.

The GitHub issue regarding this problem can be seen below.

Issue(s)

#33318
SUP-668

Steps to test or reproduce

N/A

Further comments

N/A

@julio-cfa julio-cfa requested a review from a team as a code owner September 25, 2024 19:44
@dionisio-bot dionisio-bot
Copy link
Contributor

dionisio-bot bot commented Sep 25, 2024
edited
Loading

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 25, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 5db0871

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 33 packages
Name Type
@rocket.chat/meteor Patch
@rocket.chat/core-typings Patch
@rocket.chat/rest-typings Patch
@rocket.chat/uikit-playground Patch
@rocket.chat/api-client Patch
@rocket.chat/apps Patch
@rocket.chat/core-services Patch
@rocket.chat/cron Patch
@rocket.chat/ddp-client Patch
@rocket.chat/freeswitch Patch
@rocket.chat/fuselage-ui-kit Patch
@rocket.chat/gazzodown Patch
@rocket.chat/livechat Patch
@rocket.chat/model-typings Patch
@rocket.chat/ui-contexts Patch
@rocket.chat/account-service Patch
@rocket.chat/authorization-service Patch
@rocket.chat/ddp-streamer Patch
@rocket.chat/omnichannel-transcript Patch
@rocket.chat/presence-service Patch
@rocket.chat/queue-worker Patch
@rocket.chat/stream-hub-service Patch
@rocket.chat/license Patch
@rocket.chat/omnichannel-services Patch
@rocket.chat/pdf-worker Patch
@rocket.chat/presence Patch
rocketchat-services Patch
@rocket.chat/network-broker Patch
@rocket.chat/models Patch
@rocket.chat/ui-avatar Patch
@rocket.chat/ui-video-conf Patch
@rocket.chat/web-ui-registration Patch
@rocket.chat/instance-status Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@julio-cfa julio-cfa requested a review from KevLehman September 25, 2024 19:44
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 25, 2024
edited
Loading

PR Preview Action v1.4.8
🚀 Deployed preview to https://RocketChat.github.io/Rocket.Chat/pr-preview/pr-33364/
on branch gh-pages at 2024-10-15 01:40 UTC

@julio-cfa julio-cfa mentioned this pull request Sep 25, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Sep 25, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.41%. Comparing base (bafbedc) to head (5db0871).
Report is 1 commits behind head on develop.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff            @@
##           develop   #33364   +/-   ##
========================================
  Coverage    58.41%   58.41%           
========================================
  Files         2744     2744           
  Lines        66255    66257    +2     
  Branches     14990    14991    +1     
========================================
+ Hits         38703    38706    +3     
  Misses       24732    24732           
+ Partials      2820     2819    -1
Flag Coverage Δ
unit 74.61% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@scuciatto scuciatto added this to the 7.0 milestone Sep 26, 2024
@scuciatto scuciatto modified the milestones: 7.0, 6.14 Sep 27, 2024
@jessicaschelly jessicaschelly added the stat: QA assured Means it has been tested and approved by a company insider label Oct 14, 2024
@dionisio-bot dionisio-bot bot added the stat: ready to merge PR tested and approved waiting for merge label Oct 14, 2024
@dionisio-bot dionisio-bot bot removed the stat: ready to merge PR tested and approved waiting for merge label Oct 14, 2024
@julio-cfa julio-cfa added stat: ready to merge PR tested and approved waiting for merge stat: QA tested and removed stat: QA tested labels Oct 14, 2024
@kodiakhq kodiakhq bot merged commit 50c4441 into develop Oct 15, 2024
50 checks passed
@kodiakhq kodiakhq bot deleted the fix-twilio-request-validation branch October 15, 2024 02:52
gabriellsh added a commit that referenced this pull request Oct 15, 2024
@gabriellsh
Merge branch 'develop' of github.com:RocketChat/Rocket.Chat into refa…
946fa5f 
…ctor/avatar

* 'develop' of github.com:RocketChat/Rocket.Chat: (58 commits)
  refactor: unified users page header content into a single component (#33498)
  chore: store contact emails and phones on the same format as user's and visitor's (#33484)
  fix: broken jump-to-thread-message functionality using link  (#33332)
  feat: Apps-Engine method for reading and counting unread room messages for a user (#32194)
  feat: adds a new featured room action on the header for non-default category (#33562)
  chore(deps): bump actions/setup-node from 4.0.3 to 4.0.4 (#33327)
  fix: consider query strings in Twilio request validation (#33364)
  ci: add restore cache for `deploy-preview` (#33579)
  feat: add history endpoint (#33349)
  ci: cache artifacts to reduce api calls (#33567)
  feat: new E2EE composer hint (#33283)
  chore: Add `force` option to `rmSync` call (#33570)
  chore: remove nameInsensitive sorting on /v1/users.listByStatus (#33401)
  chore: Use `rmSync` instead of `rmdirSync` (#33551)
  feat: add contact channels (#33308)
  chore: split ImportDataConverter into multiple classes and add unit testing (#33394)
  test: added MockedDeviceContext to voip unit tests (#33553)
  refactor: adjusted voip endpoints error messages (#33515)
  fix: Cannot send messages after E2EE keys are refreshed (#33527)
  fix: Custom sounds not working when storage is set to filesystem (#33424)
  ...
@ggazzo ggazzo modified the milestones: 6.14, 7.0 Oct 17, 2024
@rocketchat-github-ci rocketchat-github-ci mentioned this pull request Oct 20, 2024
Closed
This was referenced Oct 20, 2024
Closed
Merged
ggazzo pushed a commit that referenced this pull request Nov 6, 2024
@julio-cfa @ggazzo
fix: consider query strings in Twilio request validation (#33364)
c312e45
ggazzo pushed a commit that referenced this pull request Nov 6, 2024
@julio-cfa @ggazzo
fix: consider query strings in Twilio request validation (#33364)
b7f6aeb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tapiarafael tapiarafael tapiarafael approved these changes

@abhinavkrin abhinavkrin abhinavkrin approved these changes

@KevLehman KevLehman KevLehman approved these changes

Assignees
No one assigned
Labels
stat: QA assured Means it has been tested and approved by a company insider stat: ready to merge PR tested and approved waiting for merge
Projects
None yet
Milestone
7.0
Development

Successfully merging this pull request may close these issues.
7 participants
@julio-cfa @KevLehman @abhinavkrin @tapiarafael @scuciatto @ggazzo @jessicaschelly