RocketChat · ggazzo · Jul 2, 2024 · Jun 26, 2024 · Jun 27, 2024 · Jun 28, 2024
diff --git a/.changeset/witty-penguins-rush.md b/.changeset/witty-penguins-rush.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
diff --git a/apps/meteor/app/api/server/api.ts b/apps/meteor/app/api/server/api.ts
@@ -63,6 +63,7 @@ interface IAPIDefaultFieldsToExclude {
 	statusDefault: number;
 	_updatedAt: number;
 	settings: number;
+	inviteToken: number;
 }
 
 type RateLimiterOptions = {
@@ -149,6 +150,7 @@ export class APIClass<TBasePath extends string = ''> extends Restivus {
 
 	public limitedUserFieldsToExcludeIfIsPrivilegedUser: {
 		services: number;
+		inviteToken: number;
 	};
 
 	constructor(properties: IAPIProperties) {
@@ -176,10 +178,12 @@ export class APIClass<TBasePath extends string = ''> extends Restivus {
 			statusDefault: 0,
 			_updatedAt: 0,
 			settings: 0,
+			inviteToken: 0,
 		};
 		this.limitedUserFieldsToExclude = this.defaultLimitedUserFieldsToExclude;
 		this.limitedUserFieldsToExcludeIfIsPrivilegedUser = {
 			services: 0,
+			inviteToken: 0,
 		};
 	}
 

@@ -98,7 +98,7 @@ API.v1.addRoute(
 				throw new Error('invalid-room');
 			}
 
-			let message = await Messages.findOneById(_id);
+			let message = await Messages.findOneByRoomIdAndMessageId(rid, _id);
 			if (!message) {
 				throw new Error('invalid-message');
 			}

@@ -1,6 +1,7 @@
 import type { IMessage } from '@rocket.chat/core-typings';
 import { LivechatVisitors, LivechatRooms } from '@rocket.chat/models';
 import type { ServerMethods } from '@rocket.chat/ui-contexts';
+import { check, Match } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
 import { loadMessageHistory } from '../../../lib/server/functions/loadMessageHistory';
@@ -23,9 +24,11 @@ Meteor.methods<ServerMethods>({
 	async 'livechat:loadHistory'({ token, rid, end, limit = 20, ls }) {
 		methodDeprecationLogger.method('livechat:loadHistory', '7.0.0');
 
-		if (!token || typeof token !== 'string') {
-			return;
-		}
+		check(token, String);
+		check(rid, String);
+		check(end, Date);
+		check(ls, Match.OneOf(String, Date));
+		check(limit, Number);
 
 		const visitor = await LivechatVisitors.getVisitorByToken(token, { projection: { _id: 1 } });
 

@@ -14,6 +14,7 @@ declare module '@rocket.chat/ui-contexts' {
 Meteor.methods<ServerMethods>({
 	async 'livechat:loginByToken'(token) {
 		methodDeprecationLogger.method('livechat:loginByToken', '7.0.0');
+		check(token, String);
 		const visitor = await LivechatVisitors.getVisitorByToken(token, { projection: { _id: 1 } });
 
 		if (!visitor) {

diff --git a/apps/meteor/app/slashcommands-inviteall/server/server.ts b/apps/meteor/app/slashcommands-inviteall/server/server.ts
@@ -10,6 +10,7 @@ import { Meteor } from 'meteor/meteor';
 
 import { isTruthy } from '../../../lib/isTruthy';
 import { i18n } from '../../../server/lib/i18n';
+import { canAccessRoomAsync } from '../../authorization/server';
 import { addUsersToRoomMethod } from '../../lib/server/methods/addUsersToRoom';
 import { createChannelMethod } from '../../lib/server/methods/createChannel';
 import { createPrivateGroupMethod } from '../../lib/server/methods/createPrivateGroup';
@@ -55,6 +56,14 @@ function inviteAll<T extends string>(type: T): SlashCommand<T>['callback'] {
 			});
 			return;
 		}
+
+		if (!(await canAccessRoomAsync(baseChannel, user))) {
+			void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+				msg: i18n.t('Room_not_exist_or_not_permission', { lng }),
+			});
+			return;
+		}
+
 		const cursor = Subscriptions.findByRoomIdWhenUsernameExists(baseChannel._id, {
 			projection: { 'u.username': 1 },
 		});

@@ -45,10 +45,10 @@ export class TeamRaw extends BaseRaw<ITeam> implements ITeamModel {
 		query?: Filter<ITeam>,
 	): FindCursor<P> | FindCursor<ITeam> {
 		if (options === undefined) {
-			return this.find({ _id: { $in: ids }, ...query });
+			return this.find({ ...query, _id: { $in: ids } });
 		}
 
-		return this.find({ _id: { $in: ids }, ...query }, options);
+		return this.find({ ...query, _id: { $in: ids } }, options);
 	}
 
 	findByIdsPaginated(
@@ -57,10 +57,10 @@ export class TeamRaw extends BaseRaw<ITeam> implements ITeamModel {
 		query?: Filter<ITeam>,
 	): FindPaginated<FindCursor<ITeam>> {
 		if (options === undefined) {
-			return this.findPaginated({ _id: { $in: ids }, ...query });
+			return this.findPaginated({ ...query, _id: { $in: ids } });
 		}
 
-		return this.findPaginated({ _id: { $in: ids }, ...query }, options);
+		return this.findPaginated({ ...query, _id: { $in: ids } }, options);
 	}
 
 	findByIdsAndType(ids: Array<string>, type: TEAM_TYPE): FindCursor<ITeam>;

diff --git a/apps/meteor/tests/data/api-data.js b/apps/meteor/tests/data/api-data.js
@@ -46,6 +46,10 @@ export function methodCall(methodName) {
 	return api(`method.call/${methodName}`);
 }
 
+export function methodCallAnon(methodName) {
+	return api(`method.callAnon/${methodName}`);
+}
+
 export function log(res) {
 	console.log(res.req.path);
 	console.log({

@@ -793,6 +793,10 @@ describe('[Users]', function () {
 		let deactivatedUser;
 		let user2;
 		let user2Credentials;
+		let user3;
+		let user3Credentials;
+		let group;
+		let inviteToken;
 
 		before(async () => {
 			const username = `deactivated_${Date.now()}${apiUsername}`;
@@ -849,14 +853,44 @@ describe('[Users]', function () {
 		before(async () => {
 			user2 = await createUser({ joinDefaultChannels: false });
 			user2Credentials = await login(user2.username, password);
+			user3 = await createUser({ joinDefaultChannels: false });
+			user3Credentials = await login(user3.username, password);
 		});
 
+		before('Create a group', async () => {
+			group = (
+				await createRoom({
+					type: 'p',
+					name: `group.test.${Date.now()}-${Math.random()}`,
+				})
+			).body.group;
+		});
+
+		before('Create invite link', async () => {
+			inviteToken = (
+				await request.post(api('findOrCreateInvite')).set(credentials).send({
+					rid: group._id,
+					days: 0,
+					maxUses: 0,
+				})
+			).body._id;
+		});
+
+		after('Remove invite link', async () =>
+			request
+				.delete(api(`removeInvite/${inviteToken}`))
+				.set(credentials)
+				.send(),
+		);
+
 		after(() =>
 			Promise.all([
 				clearCustomFields(),
 				deleteUser(deactivatedUser),
 				deleteUser(user),
 				deleteUser(user2),
+				deleteUser(user3),
+				deleteRoom({ type: 'p', roomId: group._id }),
 				updatePermission('view-outside-room', ['admin', 'owner', 'moderator', 'user']),
 				updateSetting('API_Apply_permission_view-outside-room_on_users-list', false),
 			]),
@@ -979,6 +1013,70 @@ describe('[Users]', function () {
 
 			await request.get(api('users.list')).set(user2Credentials).expect('Content-Type', 'application/json').expect(403);
 		});
+
+		it('should exclude inviteToken in the user item for privileged users even when fields={inviteToken:1} is specified', async () => {
+			await request
+				.post(api('useInviteToken'))
+				.set(user2Credentials)
+				.send({ token: inviteToken })
+				.expect(200)
+				.expect('Content-Type', 'application/json')
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('room');
+					expect(res.body.room).to.have.property('rid', group._id);
+				});
+
+			await request
+				.get(api('users.list'))
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.query({
+					fields: JSON.stringify({ inviteToken: 1 }),
+					sort: JSON.stringify({ inviteToken: -1 }),
+					count: 100,
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('users');
+					res.body.users.forEach((user) => {
+						expect(user).to.not.have.property('inviteToken');
+					});
+				});
+		});
+
+		it('should exclude inviteToken in the user item for normal users even when fields={inviteToken:1} is specified', async () => {
+			await updateSetting('API_Apply_permission_view-outside-room_on_users-list', false);
+			await request
+				.post(api('useInviteToken'))
+				.set(user3Credentials)
+				.send({ token: inviteToken })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('room');
+					expect(res.body.room).to.have.property('rid', group._id);
+				});
+
+			await request
+				.get(api('users.list'))
+				.set(user3Credentials)
+				.expect('Content-Type', 'application/json')
+				.query({
+					fields: JSON.stringify({ inviteToken: 1 }),
+					sort: JSON.stringify({ inviteToken: -1 }),
+					count: 100,
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('users');
+					res.body.users.forEach((user) => {
+						expect(user).to.not.have.property('inviteToken');
+					});
+				});
+		});
 	});
 
 	describe('Avatars', () => {