Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MM-53425]: Added additional checks for POST type APIs #209

Merged
merged 7 commits into from
Sep 14, 2023
Merged

[MM-53425]: Added additional checks for POST type APIs #209

merged 7 commits into from
Sep 14, 2023

Conversation

Kshitij-Katiyar
Copy link
Contributor

Summary

Added additional checks for POST type APIs in todo plugin.

@Kshitij-Katiyar
[MI-3240]:Fixed security issue [MM-53425] of TODO plugin (#1)
9da7452 
* [MI-3240]:Fixed security issue [MM-53425] of TODO plugin

* [MI-3240]:Fixed review comments
@mattermost-build
Copy link

Hello @Kshitij-Katiyar,

Thanks for your pull request! A Core Committer will review your pull request soon. For code contributions, you can learn more about the review process here.

@larkox larkox requested a review from mickmister July 7, 2023 09:30
mickmister
mickmister reviewed Jul 10, 2023
View reviewed changes
server/plugin.go Outdated Show resolved Hide resolved
server/plugin.go Outdated Show resolved Hide resolved
@codecov-commenter
Copy link

codecov-commenter commented Jul 11, 2023
edited
Loading

Codecov Report

Patch coverage has no change and project coverage change: -0.45% ⚠️

Comparison is base (0c4dbfb) 6.87% compared to head (1d4678e) 6.42%.

Additional details and impacted files 
@@            Coverage Diff            @@
##           master    #209      +/-   ##
=========================================
- Coverage    6.87%   6.42%   -0.45%     
=========================================
  Files          10      11       +1     
  Lines        1600    1712     +112     
=========================================
  Hits          110     110              
- Misses       1482    1594     +112     
  Partials        8       8
Files Changed Coverage Δ
server/plugin.go 0.00% <0.00%> (ø)
server/serializer.go 0.00% <0.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hanzei hanzei added the 2: Dev Review Requires review by a core committer label Jul 12, 2023
hanzei
hanzei suggested changes Jul 13, 2023
View reviewed changes
Copy link
Contributor

@hanzei hanzei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a recovery handler would further strengthen the codebase and protect against similar issues in the future. Is that something we can include in this PR?

server/plugin.go Outdated Show resolved Hide resolved
server/plugin.go Outdated Show resolved Hide resolved
@hanzei
Copy link
Contributor

hanzei commented Jul 13, 2023

@Kshitij-Katiyar Could you please link the connected JIRA ticket in the PR description?

@mickmister
Copy link
Contributor

Can we add a recovery handler to handle all API routes? Like it's done in the GitHub plugin here: https://github.com/mattermost/mattermost-plugin-github/blob/a336ac3f66347aca7b47963e89570024b184cdfd/server/plugin/api.go#L122

@mkdbns
Copy link

mkdbns commented Jul 14, 2023

@Kshitij-Katiyar Could you please link the connected JIRA ticket in the PR description?

@hanzei , @Kshitij-Katiyar doesn't yet have access to JIRA. I'm posting for him below:

https://mattermost.atlassian.net/browse/MM-53425

@Kshitij-Katiyar Kshitij-Katiyar mentioned this pull request Jul 14, 2023
Merged
@Kshitij-Katiyar
[MI-3276]:Added recovery handler and CheckAuth middleware (#2)
e3dc28d 
* [MI-3276]:Added recovery handler and CheckAuth middleware

* [MI-3276]:Fixed review comments
@Kshitij-Katiyar
Copy link
Contributor Author

@mickmister @hanzei Added recovery handler middleware and there was also no middleware present to check for Mattermost-User-ID ,so i have created that as well in this PR only.

hanzei
hanzei reviewed Jul 19, 2023
View reviewed changes
webapp/src/actions.js Show resolved Hide resolved
server/plugin.go Outdated Show resolved Hide resolved
@hanzei hanzei removed their request for review August 1, 2023 18:49
@hanzei hanzei removed their request for review August 7, 2023 14:25
@Kshitij-Katiyar Kshitij-Katiyar mentioned this pull request Aug 28, 2023
Merged
@Kshitij-Katiyar
[MI-3423]: Added checks for every post API body (#3)
e7b40b7 
* [MI-3423]: Added checks for every post API body

* [MI-3423]:Fixed review comments

* [MI-3423]:Fixed review comments
hanzei
hanzei suggested changes Aug 30, 2023
View reviewed changes
server/serializer.go Outdated
Comment on lines 52 to 62
func IsAddIssuePayloadValid(a *AddAPIRequest) error {
if a == nil {
return errors.New("invalid request body")
}

if a.Message == "" {
return errors.New("message is required")
}

return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this a method and simplify the name to IsValid

Suggested change
func IsAddIssuePayloadValid(a *AddAPIRequest) error {
if a == nil {
return errors.New("invalid request body")
}
if a.Message == "" {
return errors.New("message is required")
}
return nil
}
func (a *AddAPIRequest) IsValid error {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hanzei The reason why i was not able to do this because of the nill check as in the change you have suggested, We wont be able to access the functions of AddAPIRequest if it is already nill and will panic everytime.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can have a nil check in a method with a pointer receiver.

server/serializer.go Show resolved Hide resolved
hanzei
hanzei approved these changes Aug 30, 2023
View reviewed changes
Copy link
Contributor

@hanzei hanzei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome 🎉

@hanzei hanzei removed the 2: Dev Review Requires review by a core committer label Aug 30, 2023
@hanzei
Copy link
Contributor

hanzei commented Aug 30, 2023

@DHaussermann Do you want to smoke test the PR?

@AayushChaudhary0001
Copy link

Tested and Passed

  • This PR has been tested on MM version 8.1.2 and everything was found working fine.
  • All the edge cases were covered in this PR.
  • Accepting, bumping, listing and editing the issue were found working.
  • All the possible values for edge cases were covered during the testing.

LGTM!

@mickmister mickmister merged commit a309a7a into mattermost-community:master Sep 14, 2023
4 checks passed
@Kshitij-Katiyar Kshitij-Katiyar mentioned this pull request Sep 15, 2023
Merged
@AayushChaudhary0001 AayushChaudhary0001 mentioned this pull request Sep 22, 2023
Open
@hanzei hanzei added the 4: Reviews Complete All reviewers have approved the pull request label Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AayushChaudhary0001 AayushChaudhary0001 AayushChaudhary0001 approved these changes

@hanzei hanzei hanzei approved these changes

@mickmister mickmister mickmister approved these changes

@larkox larkox larkox approved these changes

Assignees
No one assigned
Labels
4: Reviews Complete All reviewers have approved the pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@Kshitij-Katiyar @mattermost-build @codecov-commenter @hanzei @mickmister @mkdbns @AayushChaudhary0001 @larkox