-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BREAK] Validate incoming message schema #9922
Conversation
check(attachment, Match.ObjectIncluding({ | ||
color: Match.Maybe(String), | ||
text: Match.Maybe(String), | ||
ts: Match.Maybe(String), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ts
is a String? 🤔
|
||
const validateBodyParams = (bodyParams) => { | ||
check(bodyParams, Match.ObjectIncluding({ | ||
roomId: Match.Maybe(String), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this one REQUIRED?
tests/end-to-end/api/05-chat.js
Outdated
@@ -32,7 +32,7 @@ describe('[Chat]', function() { | |||
author_icon: 'https://avatars.githubusercontent.com/u/850391?v=3', | |||
title: 'Attachment Example', | |||
title_link: 'https://youtube.com', | |||
title_link_download: 'https://rocket.chat/download', | |||
title_link_download: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can have more tests here, with lots of different variations and some fail case. Can you do that, please?
Can you see again @rafaelks ? |
@MarcosSpessatto Looking great, thanks for tests. LGTM. |
I approved, but I would that someone else also revised the JS code, please. @RocketChat/core |
@rafaelks, can you take a look again please? I have added the same verification in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of applying this verification to just these rest api methods, can we instead apply it to the code which these use? As these are duplicated code and too low level when we should instead be applying these at a higher level. Because with these changes, I can use the real time api and bypass the verification. Also, the webhooks would be able to bypass is verification.
@graywolf336 should he add the validation to the And why the webhooks should be able to bypass the verification? I don't agree with that. |
Yes. No, I'm saying with the way this pull request currently is they would be able to but my request was to not allow them to. :) |
if (Array.isArray(message.attachments) && message.attachments.length) { | ||
validateBodyAttachments(message.attachments); | ||
} | ||
} catch (error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we catching an error here to then throw the same error? Let's not do that. Either allow the error to be thrown or throw a customized error.
if (message.ts == null) { | ||
message.ts = new Date(); | ||
} | ||
message.u = _.pick(user, ['_id', 'username', 'name']); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of relying on underscore for this, let's just do it ourselves. :)
throw error; | ||
} | ||
|
||
if (message.ts == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change this to if(!message.ts) {
?
@@ -1,10 +1,69 @@ | |||
import _ from 'underscore'; | |||
|
|||
const validateBodyAttachments = (attachments) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we are now going to be validating the messages and attachments, do we have some place where we document the schema in our documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems we don't have @graywolf336, only in the endpoint docs. :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any recommendations for where to place it?
cc: @MartinSchoeler
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @MartinSchoeler, any ideas?
RocketChat.sendMessage = function(user, message, room, upsert = false) { | ||
if (!user || !message || !room._id) { | ||
return false; | ||
} | ||
|
||
try { | ||
check(message, Match.ObjectIncluding({ | ||
msg: Match.Maybe(String), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's also check the _id
field, since it can be provided.
@@ -10,6 +10,10 @@ Meteor.methods({ | |||
}); | |||
} | |||
|
|||
if (!message.rid) { | |||
throw new Error('The \'rid\' param, must be provided'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe say The 'rid' property on the message object is missing.
? Does that make more sense?
…-api-chat-postmessage-validations * commit 'a9fb4da5c847a456990a5d60369f0f52ff4a8bd8': (137 commits) Remove "secret" from REST endpoint /settings.oauth response [FIX] Directory sort and column sizes were wrong (#10403) [FIX] Add oauth services missing fields, and indicate whether the oauth service is customized (#10299) Show error message when email verification fails (#10446) Correct the column positions in the directory search for users (#10454) Fixed custom fields misalignment in registration form (#10463) [FIX] Unique identifier file not really being unique (#10341) [OTHER] More Listeners for Apps & Utilize Promises inside Apps (#10335) [FIX] Empty panel after changing a user's username (#10404) [FIX] Russian translation of "False" (#10418) [FIX] Links being embedded inside of blockquotes (#10496) [FIX] The 'channel.messages' REST API Endpoint error (#10485) [OTHER] Develop sync (#10487) [FIX] Button on user info contextual bar scrolling with the content (#10358) [FIX] "Idle Time Limit" using milliseconds instead of seconds (#9824) [NEW] Body of the payload on an incoming webhook is included on the request object (#10259) [FIX] Missing i18n translation key for "Unread" (#10387) [FIX] Owner unable to delete channel or group from APIs (#9729) [NEW] REST endpoint to recover forgotten password (#10371) Add REST endpoint chat.reportMessage, to report a message (#10354) ...
…d try catch unnecessary
@RocketChat/core Thoughts on renaming this to |
@graywolf336 I agree. |
Changed to [BREAK] prefix. |
@@ -1,10 +1,66 @@ | |||
import _ from 'underscore'; | |||
const validateAttachmentsFields = attachmentFields => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggazzo why did you change the code style from parenthesis around the arguments to not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because we dont need ( )
in this case :)
You are breaking a lot of stuff (e.g. webhooks) by now enforcing title on attachments Exception in callback of async function: Error: Match error: Missing key 'title' at check (/opt/Rocket.Chat/programs/server/packages/check.js:68:17) at validateAttachmentsFields (/opt/Rocket.Chat/programs/server/packages/rocketchat_lib.js:5283:3) This is not really a good way to do so! |
@tbaehr Did you open an issue so we can get this fixed? Edit: Looks like the |
does not mean optional, but before it was not checked so it could be left out, didnt make a separate Bug |
@tbaehr That is because those two properties are actually required when you are providing a field on the attachment. This is because of the way the mobile applications and everything are setup to display the attachment fields. |
We now verify the message object, when being sent, matches our expected schema. Should it not, we throw an error.
Closes #9878
Closes #10511