From 473d53583837a6c022bbbbc41d5504dba4800cd1 Mon Sep 17 00:00:00 2001
From: Diego Sampaio <chinello@gmail.com>
Date: Wed, 19 Jan 2022 13:30:06 -0300
Subject: [PATCH] Bump version to 4.3.2

---
 .docker/Dockerfile.rhel                     |  2 +-
 .github/history-manual.json                 | 10 +++
 .github/history.json                        | 70 ++++++++++++++++++++-
 .snapcraft/resources/prepareRocketChat      |  2 +-
 .snapcraft/snap/snapcraft.yaml              |  2 +-
 HISTORY.md                                  | 52 ++++++++++++++-
 app/api/server/v1/roles.ts                  |  4 ++
 app/api/server/v1/users.js                  | 11 ++++
 app/lib/server/functions/getFullUserData.js |  8 ++-
 app/ui-message/client/message.js            |  2 +
 app/utils/rocketchat.info                   |  2 +-
 client/lib/userData.ts                      |  5 ++
 client/startup/startup.ts                   |  3 +-
 package-lock.json                           |  2 +-
 package.json                                |  2 +-
 server/methods/reportMessage.js             | 15 ++++-
 16 files changed, 178 insertions(+), 14 deletions(-)

diff --git a/.docker/Dockerfile.rhel b/.docker/Dockerfile.rhel
index 1e3bbc57ec8..f2dafebe812 100644
--- a/.docker/Dockerfile.rhel
+++ b/.docker/Dockerfile.rhel
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
-ENV RC_VERSION 4.3.1
+ENV RC_VERSION 4.3.2
 
 MAINTAINER buildmaster@rocket.chat
 
diff --git a/.github/history-manual.json b/.github/history-manual.json
index 6258a78a3d9..28af48cda09 100644
--- a/.github/history-manual.json
+++ b/.github/history-manual.json
@@ -130,5 +130,15 @@
 		"contributors": [
 			"sampaiodiego"
 		]
+	}],
+	"4.3.2": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego",
+			"yash-rajpal",
+			"pierre-lehnen-rc",
+			"gronke"
+		]
 	}]
 }
diff --git a/.github/history.json b/.github/history.json
index 8d8adf4e319..8292e652812 100644
--- a/.github/history.json
+++ b/.github/history.json
@@ -68842,6 +68842,74 @@
           ]
         }
       ]
+    },
+    "4.3.2": {
+      "node_version": "12.22.1",
+      "npm_version": "6.14.1",
+      "apps_engine_version": "1.29.2",
+      "mongo_versions": [
+        "3.6",
+        "4.0",
+        "4.2",
+        "4.4",
+        "5.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "24068",
+          "title": "[FIX] Integration section crashing opening in My Account",
+          "userLogin": "dougfabris",
+          "milestone": "4.3.2",
+          "contributors": [
+            "dougfabris",
+            "tassoevan",
+            "web-flow",
+            "gabriellsh"
+          ]
+        },
+        {
+          "pr": "24171",
+          "title": "Chore: Update Apps-Engine to 1.29.2",
+          "userLogin": "d-gubert",
+          "milestone": "4.3.2",
+          "contributors": [
+            "d-gubert"
+          ]
+        },
+        {
+          "pr": "24158",
+          "title": "[FIX] App Framework Enable hanging indefinitely",
+          "userLogin": "geekgonecrazy",
+          "milestone": "4.3.2",
+          "contributors": [
+            "geekgonecrazy",
+            "d-gubert",
+            "web-flow"
+          ]
+        },
+        {
+          "pr": "24090",
+          "title": "[FIX] CSV Importer failing to import users",
+          "userLogin": "pierre-lehnen-rc",
+          "description": "- Update use of `setRealName` function to `_setRealName`.",
+          "milestone": "4.3.2",
+          "contributors": [
+            "pierre-lehnen-rc",
+            "matheusbsilva137",
+            "web-flow"
+          ]
+        },
+        {
+          "pr": "24142",
+          "title": "[FIX][ENTERPRISE] Leading slashes in Engagement Dashboard API requests",
+          "userLogin": "matheusbsilva137",
+          "description": "- Remove trailing slashes from Engagement Dashboard API requests;",
+          "milestone": "4.3.2",
+          "contributors": [
+            "matheusbsilva137"
+          ]
+        }
+      ]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/.snapcraft/resources/prepareRocketChat b/.snapcraft/resources/prepareRocketChat
index b38d0cca300..0821fb342d7 100755
--- a/.snapcraft/resources/prepareRocketChat
+++ b/.snapcraft/resources/prepareRocketChat
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-curl -SLf "https://releases.rocket.chat/4.3.1/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/4.3.2/download/" -o rocket.chat.tgz
 
 tar xf rocket.chat.tgz --strip 1
 
diff --git a/.snapcraft/snap/snapcraft.yaml b/.snapcraft/snap/snapcraft.yaml
index d470a23476a..c9ed86df51f 100644
--- a/.snapcraft/snap/snapcraft.yaml
+++ b/.snapcraft/snap/snapcraft.yaml
@@ -7,7 +7,7 @@
 # 5.  `snapcraft snap`
 
 name: rocketchat-server
-version: 4.3.1
+version: 4.3.2
 summary: Rocket.Chat server
 description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
 confinement: strict
diff --git a/HISTORY.md b/HISTORY.md
index 993241763ac..b216e12a7d7 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,6 +1,56 @@
 
+# 4.3.2
+`2022-01-19  ·  5 🐛  ·  1 🔍  ·  10 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.22.1`
+- NPM: `6.14.1`
+- MongoDB: `3.6, 4.0, 4.2, 4.4, 5.0`
+- Apps-Engine: `1.29.2`
+
+### 🐛 Bug fixes
+
+
+- **ENTERPRISE:** Leading slashes in Engagement Dashboard API requests ([#24142](https://github.com/RocketChat/Rocket.Chat/pull/24142))
+
+  - Remove trailing slashes from Engagement Dashboard API requests;
+
+- App Framework Enable hanging indefinitely ([#24158](https://github.com/RocketChat/Rocket.Chat/pull/24158))
+
+- CSV Importer failing to import users ([#24090](https://github.com/RocketChat/Rocket.Chat/pull/24090))
+
+  - Update use of `setRealName` function to `_setRealName`.
+
+- Integration section crashing opening in My Account ([#24068](https://github.com/RocketChat/Rocket.Chat/pull/24068))
+
+- Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
+
+<details>
+<summary>🔍 Minor changes</summary>
+
+
+- Chore: Update Apps-Engine to 1.29.2 ([#24171](https://github.com/RocketChat/Rocket.Chat/pull/24171))
+
+</details>
+
+### 👩‍💻👨‍💻 Contributors 😍
+
+- [@gronke](https://github.com/gronke)
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@d-gubert](https://github.com/d-gubert)
+- [@dougfabris](https://github.com/dougfabris)
+- [@gabriellsh](https://github.com/gabriellsh)
+- [@geekgonecrazy](https://github.com/geekgonecrazy)
+- [@matheusbsilva137](https://github.com/matheusbsilva137)
+- [@pierre-lehnen-rc](https://github.com/pierre-lehnen-rc)
+- [@sampaiodiego](https://github.com/sampaiodiego)
+- [@tassoevan](https://github.com/tassoevan)
+- [@yash-rajpal](https://github.com/yash-rajpal)
+
 # 4.3.1
-`2022-01-04  ·  6 🐛  ·  1 🔍  ·  6 👩‍💻👨‍💻`
+`2022-01-05  ·  6 🐛  ·  1 🔍  ·  6 👩‍💻👨‍💻`
 
 ### Engine versions
 - Node: `12.22.1`
diff --git a/app/api/server/v1/roles.ts b/app/api/server/v1/roles.ts
index f7e68deabce..90c90086996 100644
--- a/app/api/server/v1/roles.ts
+++ b/app/api/server/v1/roles.ts
@@ -145,6 +145,10 @@ API.v1.addRoute('roles.update', { authRequired: true }, {
 			throw new Meteor.Error('error-invalid-role-properties', 'The role properties are invalid.');
 		}
 
+		if (!await hasPermissionAsync(this.userId, 'access-permissions')) {
+			throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed');
+		}
+
 		const roleData = {
 			roleId: bodyParams.roleId,
 			name: bodyParams.name,
diff --git a/app/api/server/v1/users.js b/app/api/server/v1/users.js
index a6c514a7c8e..0ce97ad6dbc 100644
--- a/app/api/server/v1/users.js
+++ b/app/api/server/v1/users.js
@@ -195,6 +195,17 @@ API.v1.addRoute('users.info', { authRequired: true }, {
 		const { username, userId } = this.requestParams();
 		const { fields } = this.parseJsonQuery();
 
+		check(userId, Match.Maybe(String));
+		check(username, Match.Maybe(String));
+
+		if (userId !== undefined && username !== undefined) {
+			throw new Meteor.Error('invalid-filter', 'Cannot filter by id and username at once');
+		}
+
+		if (!userId && !username) {
+			throw new Meteor.Error('invalid-filter', 'Must filter by id or username');
+		}
+
 		const user = getFullUserDataByIdOrUsername({ userId: this.userId, filterId: userId, filterUsername: username });
 
 		if (!user) {
diff --git a/app/lib/server/functions/getFullUserData.js b/app/lib/server/functions/getFullUserData.js
index c12ab44230d..373e5963f17 100644
--- a/app/lib/server/functions/getFullUserData.js
+++ b/app/lib/server/functions/getFullUserData.js
@@ -75,20 +75,22 @@ const removePasswordInfo = (user) => {
 		delete user.services.email2fa;
 		delete user.services.totp;
 	}
+
 	return user;
 };
 
 export function getFullUserDataByIdOrUsername({ userId, filterId, filterUsername }) {
 	const caller = Users.findOneById(userId, { fields: { username: 1 } });
-	const myself = userId === filterId || filterUsername === caller.username;
-	const canViewAllInfo = myself || hasPermission(userId, 'view-full-other-user-info');
+	const targetUser = filterId || filterUsername;
+	const myself = (filterId && targetUser === userId) || (filterUsername && targetUser === caller.username);
+	const canViewAllInfo = !!myself || hasPermission(userId, 'view-full-other-user-info');
 
 	const fields = getFields(canViewAllInfo);
 
 	const options = {
 		fields,
 	};
-	const user = Users.findOneByIdOrUsername(filterId || filterUsername, options);
+	const user = Users.findOneByIdOrUsername(targetUser, options);
 	if (!user) {
 		return null;
 	}
diff --git a/app/ui-message/client/message.js b/app/ui-message/client/message.js
index e8adedbfc36..9d65de6c22f 100644
--- a/app/ui-message/client/message.js
+++ b/app/ui-message/client/message.js
@@ -1,4 +1,5 @@
 import _ from 'underscore';
+import dompurify from 'dompurify';
 import { Meteor } from 'meteor/meteor';
 import { Tracker } from 'meteor/tracker';
 import { Template } from 'meteor/templating';
@@ -33,6 +34,7 @@ const renderBody = (msg, settings) => {
 	} else if (messageType.message) {
 		msg.msg = escapeHTML(msg.msg);
 		msg = TAPi18n.__(messageType.message, { ...typeof messageType.data === 'function' && messageType.data(msg) });
+		msg = dompurify.sanitize(msg);
 	} else if (msg.u && msg.u.username === settings.Chatops_Username) {
 		msg.html = msg.msg;
 		msg = renderMentions(msg);
diff --git a/app/utils/rocketchat.info b/app/utils/rocketchat.info
index 13127b0d5d1..cededaf442d 100644
--- a/app/utils/rocketchat.info
+++ b/app/utils/rocketchat.info
@@ -1,3 +1,3 @@
 {
-	"version": "4.3.1"
+	"version": "4.3.2"
 }
diff --git a/client/lib/userData.ts b/client/lib/userData.ts
index 6904a0f75a3..7228798adcb 100644
--- a/client/lib/userData.ts
+++ b/client/lib/userData.ts
@@ -58,6 +58,9 @@ export const synchronizeUserData = async (uid: Meteor.User['_id']): Promise<RawU
 		return;
 	}
 
+	// Remove data from any other user that we may have retained
+	Meteor.users.remove({ _id: { $ne: uid } });
+
 	cancel?.();
 
 	cancel = await Notifications.onUser('userData', (data: IUserDataEvent) => {
@@ -90,3 +93,5 @@ export const synchronizeUserData = async (uid: Meteor.User['_id']): Promise<RawU
 
 	return userData;
 };
+
+export const removeLocalUserData = (): number => Meteor.users.remove({});
diff --git a/client/startup/startup.ts b/client/startup/startup.ts
index 57b8edc1c37..06f1561ee3b 100644
--- a/client/startup/startup.ts
+++ b/client/startup/startup.ts
@@ -13,7 +13,7 @@ import { getUserPreference, t } from '../../app/utils/client';
 import 'highlight.js/styles/github.css';
 import { UserStatus } from '../../definition/UserStatus';
 import * as banners from '../lib/banners';
-import { synchronizeUserData } from '../lib/userData';
+import { synchronizeUserData, removeLocalUserData } from '../lib/userData';
 import { fireGlobalEvent } from '../lib/utils/fireGlobalEvent';
 
 if (window.DISABLE_ANIMATION) {
@@ -39,6 +39,7 @@ Meteor.startup(() => {
 	Tracker.autorun(async () => {
 		const uid = Meteor.userId();
 		if (!uid) {
+			removeLocalUserData();
 			return;
 		}
 		if (!Meteor.status().connected) {
diff --git a/package-lock.json b/package-lock.json
index 64a5b533db5..641e53feeda 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "Rocket.Chat",
-  "version": "4.3.1",
+  "version": "4.3.2",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index 669782e2013..01e69aa1006 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "Rocket.Chat",
 	"description": "The Ultimate Open Source WebChat Platform",
-	"version": "4.3.1",
+	"version": "4.3.2",
 	"author": {
 		"name": "Rocket.Chat",
 		"url": "https://rocket.chat/"
diff --git a/server/methods/reportMessage.js b/server/methods/reportMessage.js
index ea2f42daa1e..92f677de007 100644
--- a/server/methods/reportMessage.js
+++ b/server/methods/reportMessage.js
@@ -2,7 +2,8 @@ import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 
 import { Messages } from '../../app/models/server';
-import { Reports } from '../../app/models/server/raw';
+import { Reports, Rooms } from '../../app/models/server/raw';
+import { canAccessRoomAsync } from '../../app/authorization/server/functions/canAccessRoom';
 
 Meteor.methods({
 	async reportMessage(messageId, description) {
@@ -28,7 +29,17 @@ Meteor.methods({
 			});
 		}
 
-		await Reports.createWithMessageDescriptionAndUserId(message, description, Meteor.userId());
+		const uid = Meteor.userId();
+		const { rid } = message;
+		// If the user can't access the room where the message is, report that the message id is invalid
+		const room = await Rooms.findOneById(rid);
+		if (!room || !await canAccessRoomAsync(room, { _id: uid })) {
+			throw new Meteor.Error('error-invalid-message_id', 'Invalid message id', {
+				method: 'reportMessage',
+			});
+		}
+
+		await Reports.createWithMessageDescriptionAndUserId(message, description, uid);
 
 		return true;
 	},