[BREAK] Validate incoming message schema (#9922)

* Added validation in chat.postMessage endpoint

* fix required parameters and add more tests cases.

* Added the same validation to chat.sendMessage method too.

* changed validation level, set in sendMessage method

* Improvements in the sendMessage function, removed underscore uses, and try catch unnecessary

* Fix test in chat.sendMessage endpoint, and fix error in sendMessage function

* fix review

packages/rocketchat-api/server/v1/chat.js

@@ -1,4 +1,5 @@
 /* global processWebhookMessage */
+
 RocketChat.API.v1.addRoute('chat.delete', { authRequired: true }, {
 	post() {
 		check(this.bodyParams, Match.ObjectIncluding({

packages/rocketchat-lib/server/functions/sendMessage.js

@@ -1,10 +1,66 @@
-import _ from 'underscore';
+const validateAttachmentsFields = attachmentFields => {
+	check(attachmentFields, Match.ObjectIncluding({
+		short: Match.Maybe(Boolean),
+		title: String,
+		value: String
+	}));
+};
+
+const validateAttachment = attachment => {
+	check(attachment, Match.ObjectIncluding({
+		color: Match.Maybe(String),
+		text: Match.Maybe(String),
+		ts: Match.Maybe(String),
+		thumb_url: Match.Maybe(String),
+		message_link: Match.Maybe(String),
+		collapsed: Match.Maybe(Boolean),
+		author_name: Match.Maybe(String),
+		author_link: Match.Maybe(String),
+		author_icon: Match.Maybe(String),
+		title: Match.Maybe(String),
+		title_link: Match.Maybe(String),
+		title_link_download: Match.Maybe(Boolean),
+		image_url: Match.Maybe(String),
+		audio_url: Match.Maybe(String),
+		video_url: Match.Maybe(String)
+	}));
+	if (attachment.fields.length) {
+		attachment.fields.map(validateAttachmentsFields);
+	}
+};
+
+const validateBodyAttachments = attachments => attachments.map(validateAttachment);
 
 RocketChat.sendMessage = function(user, message, room, upsert = false) {
 	if (!user || !message || !room._id) {
 		return false;
 	}
 
+	check(message, Match.ObjectIncluding({
+		_id: Match.Maybe(String),
+		msg: Match.Maybe(String),
+		text: Match.Maybe(String),
+		alias: Match.Maybe(String),
+		emoji: Match.Maybe(String),
+		avatar: Match.Maybe(String),
+		attachments: Match.Maybe(Array)
+	}));
+
+	if (Array.isArray(message.attachments) && message.attachments.length) {
+		validateBodyAttachments(message.attachments);
+	}
+
+	if (!message.ts) {
+		message.ts = new Date();
+	}
+	const { _id, username, name } = user;
+	message.u = {
+		_id,
+		username,
+		name
+	};
+	message.rid = room._id;
+
 	if (!Match.test(message.msg, String)) {
 		message.msg = '';
 	}
@@ -13,9 +69,6 @@ RocketChat.sendMessage = function(user, message, room, upsert = false) {
 		message.ts = new Date();
 	}
 
-	message.rid = room._id;
-	message.u = _.pick(user, ['_id', 'username', 'name']);
-
 	if (!room.usernames || room.usernames.length === 0) {
 		const updated_room = RocketChat.models.Rooms.findOneById(room._id);
 		if (updated_room) {

packages/rocketchat-lib/server/methods/sendMessage.js

@@ -10,6 +10,10 @@ Meteor.methods({
 			});
 		}
 
+		if (!message.rid) {
+			throw new Error('The \'rid\' property on the message object is missing.');
+		}
+
 		if (message.ts) {
 			const tsDiff = Math.abs(moment(message.ts).diff());
 			if (tsDiff > 60000) {
@@ -54,7 +58,7 @@ Meteor.methods({
 			return false;
 		}
 
-		if ((room.muted||[]).includes(user.username)) {
+		if ((room.muted || []).includes(user.username)) {
 			RocketChat.Notifications.notifyUser(Meteor.userId(), 'message', {
 				_id: Random.id(),
 				rid: room._id,