From 056ca4908863779cdba69d7e63ffb06352ed741b Mon Sep 17 00:00:00 2001 From: Martin Schoeler Date: Wed, 31 Aug 2016 09:54:40 -0300 Subject: [PATCH] Parameter Checks (#4147) * add checks in the methods for checking if the data received in the parameters are in their correct type * Put the checks in the start of the method and fixed some indentation * no message * no message * no message * no message * no message * no message * no message --- packages/rocketchat-lib/server/methods/addOAuthService.coffee | 3 +++ .../server/methods/checkRegistrationSecretURL.coffee | 3 +++ .../rocketchat-lib/server/methods/deleteUserOwnAccount.js | 3 +++ packages/rocketchat-lib/server/methods/filterATAllTag.js | 1 - packages/rocketchat-lib/server/methods/getRoomRoles.js | 3 +++ packages/rocketchat-lib/server/methods/getUserRoles.js | 1 + .../rocketchat-lib/server/methods/insertOrUpdateUser.coffee | 3 +++ .../rocketchat-lib/server/methods/joinDefaultChannels.coffee | 3 +++ .../rocketchat-lib/server/methods/removeOAuthService.coffee | 3 +++ packages/rocketchat-lib/server/methods/robotMethods.coffee | 4 ++++ packages/rocketchat-lib/server/methods/saveSetting.coffee | 4 ++++ .../rocketchat-lib/server/methods/sendInvitationEmail.coffee | 3 +++ packages/rocketchat-lib/server/methods/sendMessage.coffee | 2 ++ packages/rocketchat-lib/server/methods/setAdminStatus.coffee | 4 ++++ packages/rocketchat-lib/server/methods/setEmail.js | 3 +++ packages/rocketchat-lib/server/methods/setRealName.coffee | 3 +++ packages/rocketchat-lib/server/methods/setUsername.coffee | 3 +++ 17 files changed, 48 insertions(+), 1 deletion(-) diff --git a/packages/rocketchat-lib/server/methods/addOAuthService.coffee b/packages/rocketchat-lib/server/methods/addOAuthService.coffee index 19606e836c5..b3ff589bc14 100644 --- a/packages/rocketchat-lib/server/methods/addOAuthService.coffee +++ b/packages/rocketchat-lib/server/methods/addOAuthService.coffee @@ -1,5 +1,8 @@ Meteor.methods addOAuthService: (name) -> + + check name, String + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'addOAuthService' }) diff --git a/packages/rocketchat-lib/server/methods/checkRegistrationSecretURL.coffee b/packages/rocketchat-lib/server/methods/checkRegistrationSecretURL.coffee index 592b8547099..e2b376ebcfe 100644 --- a/packages/rocketchat-lib/server/methods/checkRegistrationSecretURL.coffee +++ b/packages/rocketchat-lib/server/methods/checkRegistrationSecretURL.coffee @@ -1,3 +1,6 @@ Meteor.methods checkRegistrationSecretURL: (hash) -> + + check hash, String + return hash is RocketChat.settings.get 'Accounts_RegistrationForm_SecretURL' diff --git a/packages/rocketchat-lib/server/methods/deleteUserOwnAccount.js b/packages/rocketchat-lib/server/methods/deleteUserOwnAccount.js index ee4d15239cf..ed7f361c4d3 100644 --- a/packages/rocketchat-lib/server/methods/deleteUserOwnAccount.js +++ b/packages/rocketchat-lib/server/methods/deleteUserOwnAccount.js @@ -1,5 +1,8 @@ Meteor.methods({ deleteUserOwnAccount: function(password) { + + check(password, String); + if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'deleteUserOwnAccount' }); } diff --git a/packages/rocketchat-lib/server/methods/filterATAllTag.js b/packages/rocketchat-lib/server/methods/filterATAllTag.js index 38e4f05aea1..4691004b5f3 100644 --- a/packages/rocketchat-lib/server/methods/filterATAllTag.js +++ b/packages/rocketchat-lib/server/methods/filterATAllTag.js @@ -1,5 +1,4 @@ RocketChat.callbacks.add('beforeSaveMessage', function(message) { - // Test if the message mentions include @all. if (message.mentions != null && _.pluck(message.mentions, '_id').some((item) => item === 'all')) { diff --git a/packages/rocketchat-lib/server/methods/getRoomRoles.js b/packages/rocketchat-lib/server/methods/getRoomRoles.js index 75e953a8905..18ccaed6dbe 100644 --- a/packages/rocketchat-lib/server/methods/getRoomRoles.js +++ b/packages/rocketchat-lib/server/methods/getRoomRoles.js @@ -1,5 +1,8 @@ Meteor.methods({ getRoomRoles(rid) { + + check(rid, String); + if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getRoomRoles' }); } diff --git a/packages/rocketchat-lib/server/methods/getUserRoles.js b/packages/rocketchat-lib/server/methods/getUserRoles.js index cff85925e87..f51e7c9e758 100644 --- a/packages/rocketchat-lib/server/methods/getUserRoles.js +++ b/packages/rocketchat-lib/server/methods/getUserRoles.js @@ -1,5 +1,6 @@ Meteor.methods({ getUserRoles() { + if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getUserRoles' }); } diff --git a/packages/rocketchat-lib/server/methods/insertOrUpdateUser.coffee b/packages/rocketchat-lib/server/methods/insertOrUpdateUser.coffee index 86388b92a59..221c2f3c824 100644 --- a/packages/rocketchat-lib/server/methods/insertOrUpdateUser.coffee +++ b/packages/rocketchat-lib/server/methods/insertOrUpdateUser.coffee @@ -1,5 +1,8 @@ Meteor.methods insertOrUpdateUser: (userData) -> + + check userData, Object + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'insertOrUpdateUser' }) diff --git a/packages/rocketchat-lib/server/methods/joinDefaultChannels.coffee b/packages/rocketchat-lib/server/methods/joinDefaultChannels.coffee index 3ff88510940..fd748483a86 100644 --- a/packages/rocketchat-lib/server/methods/joinDefaultChannels.coffee +++ b/packages/rocketchat-lib/server/methods/joinDefaultChannels.coffee @@ -1,5 +1,8 @@ Meteor.methods joinDefaultChannels: (silenced) -> + + check silenced, Match.Optional(Boolean) + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'joinDefaultChannels' }) diff --git a/packages/rocketchat-lib/server/methods/removeOAuthService.coffee b/packages/rocketchat-lib/server/methods/removeOAuthService.coffee index f13b9abdd7d..689609246ec 100644 --- a/packages/rocketchat-lib/server/methods/removeOAuthService.coffee +++ b/packages/rocketchat-lib/server/methods/removeOAuthService.coffee @@ -1,5 +1,8 @@ Meteor.methods removeOAuthService: (name) -> + + check name, String + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'removeOAuthService' }) diff --git a/packages/rocketchat-lib/server/methods/robotMethods.coffee b/packages/rocketchat-lib/server/methods/robotMethods.coffee index 22cf5ba9856..593a915416a 100644 --- a/packages/rocketchat-lib/server/methods/robotMethods.coffee +++ b/packages/rocketchat-lib/server/methods/robotMethods.coffee @@ -1,5 +1,9 @@ Meteor.methods 'robot.modelCall': (model, method, args) -> + + check model, String + check method, String + unless Meteor.userId() throw new Meteor.Error 'error-invalid-user', 'Invalid user', { method: 'robot.modelCall' } diff --git a/packages/rocketchat-lib/server/methods/saveSetting.coffee b/packages/rocketchat-lib/server/methods/saveSetting.coffee index cbec9d4d2d1..64f9b765ce9 100644 --- a/packages/rocketchat-lib/server/methods/saveSetting.coffee +++ b/packages/rocketchat-lib/server/methods/saveSetting.coffee @@ -1,5 +1,9 @@ Meteor.methods saveSetting: (_id, value) -> + + check _id, String + check value, String + if Meteor.userId()? user = Meteor.users.findOne Meteor.userId() diff --git a/packages/rocketchat-lib/server/methods/sendInvitationEmail.coffee b/packages/rocketchat-lib/server/methods/sendInvitationEmail.coffee index 9be056c3b28..f9d8080a619 100644 --- a/packages/rocketchat-lib/server/methods/sendInvitationEmail.coffee +++ b/packages/rocketchat-lib/server/methods/sendInvitationEmail.coffee @@ -1,5 +1,8 @@ Meteor.methods sendInvitationEmail: (emails) -> + + check emails, [String] + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'sendInvitationEmail' } diff --git a/packages/rocketchat-lib/server/methods/sendMessage.coffee b/packages/rocketchat-lib/server/methods/sendMessage.coffee index f9d5c56043b..a2d52af246a 100644 --- a/packages/rocketchat-lib/server/methods/sendMessage.coffee +++ b/packages/rocketchat-lib/server/methods/sendMessage.coffee @@ -1,6 +1,8 @@ Meteor.methods sendMessage: (message) -> + check message, Object + if message.ts tsDiff = Math.abs(moment(message.ts).diff()) if tsDiff > 60000 diff --git a/packages/rocketchat-lib/server/methods/setAdminStatus.coffee b/packages/rocketchat-lib/server/methods/setAdminStatus.coffee index 23df6a18b8a..ca1439aa924 100644 --- a/packages/rocketchat-lib/server/methods/setAdminStatus.coffee +++ b/packages/rocketchat-lib/server/methods/setAdminStatus.coffee @@ -1,5 +1,9 @@ Meteor.methods setAdminStatus: (userId, admin) -> + + check userId, String + check admin, Match.Optional(Boolean) + if not Meteor.userId() throw new Meteor.Error 'error-invalid-user', "Invalid user", { method: 'setAdminStatus' } diff --git a/packages/rocketchat-lib/server/methods/setEmail.js b/packages/rocketchat-lib/server/methods/setEmail.js index c7d456b52e3..e71db53808d 100644 --- a/packages/rocketchat-lib/server/methods/setEmail.js +++ b/packages/rocketchat-lib/server/methods/setEmail.js @@ -1,5 +1,8 @@ Meteor.methods({ setEmail: function(email) { + + check (email, String); + if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'setEmail' }); } diff --git a/packages/rocketchat-lib/server/methods/setRealName.coffee b/packages/rocketchat-lib/server/methods/setRealName.coffee index f2aa510b4fe..072a1f4dfa0 100644 --- a/packages/rocketchat-lib/server/methods/setRealName.coffee +++ b/packages/rocketchat-lib/server/methods/setRealName.coffee @@ -1,5 +1,8 @@ Meteor.methods setRealName: (name) -> + + check name, String + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'setRealName' }) diff --git a/packages/rocketchat-lib/server/methods/setUsername.coffee b/packages/rocketchat-lib/server/methods/setUsername.coffee index fe319d1b8bf..4031056c91d 100644 --- a/packages/rocketchat-lib/server/methods/setUsername.coffee +++ b/packages/rocketchat-lib/server/methods/setUsername.coffee @@ -1,5 +1,8 @@ Meteor.methods setUsername: (username) -> + + check username, String + if not Meteor.userId() throw new Meteor.Error('error-invalid-user', "Invalid user", { method: 'setUsername' })