Bump version to 3.14.2

4 years ago · 6152d44390
parent 6bfd1ac9c9
commit 6152d44390
14 changed files with 95 additions and 18 deletions
--- a/.docker/Dockerfile.rhel
+++ b/.docker/Dockerfile.rhel
@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12

-ENV RC_VERSION 3.14.1
+ENV RC_VERSION 3.14.2

 MAINTAINER buildmaster@rocket.chat

--- a/.github/history-manual.json
+++ b/.github/history-manual.json
@ -88,5 +88,14 @@
 			"KevLehman",
 			"renatobecker"
 		]
+	}],
+	"3.14.2": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego",
+			"KevLehman",
+			"g-thome"
+		]
 	}]
 }
--- a/.github/history.json
+++ b/.github/history.json
@ -59612,6 +59612,26 @@
          ]
        }
      ]
+    },
+    "3.14.2": {
+      "node_version": "12.22.1",
+      "npm_version": "6.14.1",
+      "apps_engine_version": "1.25.0",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": [
+        {
+          "pr": "48",
+          "title": "Update README.md",
+          "userLogin": "hehsiao",
+          "contributors": [
+            "hehsiao"
+          ]
+        }
+      ]
    }
  }
-}
+}
--- a/.snapcraft/resources/prepareRocketChat
+++ b/.snapcraft/resources/prepareRocketChat
@ -1,6 +1,6 @@
 #!/bin/bash

-curl -SLf "https://releases.rocket.chat/3.14.1/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/3.14.2/download/" -o rocket.chat.tgz

 tar xf rocket.chat.tgz --strip 1

--- a/.snapcraft/snap/snapcraft.yaml
+++ b/.snapcraft/snap/snapcraft.yaml
@ -7,7 +7,7 @@
 # 5.  `snapcraft snap`

 name: rocketchat-server
-version: 3.14.1
+version: 3.14.2
 summary: Rocket.Chat server
 description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
 confinement: strict
--- a/HISTORY.md
+++ b/HISTORY.md
@ -1,4 +1,36 @@

+# 3.14.2
+`2021-05-25  ·  1 🐛  ·  1 🔍  ·  4 👩‍💻👨‍💻`
+
+### Engine versions
+- Node: `12.22.1`
+- NPM: `6.14.1`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.25.0`
+
+### 🐛 Bug fixes
+
+
+- Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)
+
+<details>
+<summary>🔍 Minor changes</summary>
+
+
+- Update README.md ([#48](https://github.com/RocketChat/Rocket.Chat/pull/48) by [@hehsiao](https://github.com/hehsiao))
+
+</details>
+
+### 👩‍💻👨‍💻 Contributors 😍
+
+- [@hehsiao](https://github.com/hehsiao)
+
+### 👩‍💻👨‍💻 Core Team 🤓
+
+- [@KevLehman](https://github.com/KevLehman)
+- [@g-thome](https://github.com/g-thome)
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
 # 3.14.1
 `2021-05-19  ·  1 🎉  ·  2 🚀  ·  4 🐛  ·  3 🔍  ·  7 👩‍💻👨‍💻`

--- a/app/api/server/lib/cleanQuery.ts
+++ b/app/api/server/lib/cleanQuery.ts
@ -18,7 +18,7 @@ export function clean(v: Query, allowList: string[] = []): Query {
 	if (v instanceof Object) {
 		/* eslint-disable guard-for-in */
 		for (const key in typedParam) {
-			if (/^$/.test(key) && !allowList.includes(key)) {
+			if (key.startsWith('$') && !allowList.includes(key)) {
 				delete typedParam[key];
 			} else {
 				clean(typedParam[key], allowList);
--- a/app/lib/server/functions/createRoom.js
+++ b/app/lib/server/functions/createRoom.js
@ -51,6 +51,7 @@ export const createRoom = function(type, name, owner, members = [], readOnly, {
 	}

 	let room = {
+		...extraData,
 		name: getValidRoomName(name, null, validRoomNameOptions),
 		fname: name,
 		t: type,
@ -60,7 +61,6 @@ export const createRoom = function(type, name, owner, members = [], readOnly, {
 			_id: owner._id,
 			username: owner.username,
 		},
-		...extraData,
 		ts: now,
 		ro: readOnly === true,
 	};
--- a/app/user-data-download/server/cronProcessDownloads.js
+++ b/app/user-data-download/server/cronProcessDownloads.js
@ -7,6 +7,7 @@ import { TAPi18n } from 'meteor/rocketchat:tap-i18n';
 import { SyncedCron } from 'meteor/littledata:synced-cron';
 import archiver from 'archiver';
 import moment from 'moment';
+import { v4 as uuidv4 } from 'uuid';

 import { settings } from '../../settings/server';
 import { Subscriptions, Rooms, Users, Uploads, Messages, UserDataFiles, ExportOperations, Avatars } from '../../models/server';
@ -504,12 +505,14 @@ const continueExportOperation = async function(exportOperation) {
 			}
 		}

+		const generatedFileName = uuidv4();
+
 		if (exportOperation.status === 'downloading') {
 			exportOperation.fileList.forEach((attachmentData) => {
 				copyFile(attachmentData, exportOperation.assetsPath);
 			});

-			const targetFile = joinPath(zipFolder, `${ exportOperation.userId }.zip`);
+			const targetFile = joinPath(zipFolder, `${ generatedFileName }.zip`);
 			if (await fsExists(targetFile)) {
 				await fsUnlink(targetFile);
 			}
@ -520,7 +523,7 @@ const continueExportOperation = async function(exportOperation) {
 		if (exportOperation.status === 'compressing') {
 			createDir(zipFolder);

-			exportOperation.generatedFile = joinPath(zipFolder, `${ exportOperation.userId }.zip`);
+			exportOperation.generatedFile = joinPath(zipFolder, `${ generatedFileName }.zip`);
 			if (!await fsExists(exportOperation.generatedFile)) {
 				await makeZipFile(exportOperation.exportPath, exportOperation.generatedFile);
 			}
--- a/app/utils/lib/getValidRoomName.js
+++ b/app/utils/lib/getValidRoomName.js
@ -4,22 +4,24 @@ import limax from 'limax';
 import { settings } from '../../settings';
 import { Rooms } from '../../models';
 import { validateName } from '../../lib/server/functions/validateName';
+import { escapeHTML } from '../../../lib/escapeHTML';

 export const getValidRoomName = (displayName, rid = '', options = {}) => {
 	let slugifiedName = displayName;

 	if (settings.get('UI_Allow_room_names_with_special_chars')) {
+		const cleanName = limax(displayName);
 		if (options.allowDuplicates !== true) {
 			const room = Rooms.findOneByDisplayName(displayName);
 			if (room && room._id !== rid) {
 				if (room.archived) {
-					throw new Meteor.Error('error-archived-duplicate-name', `There's an archived channel with name ${ displayName }`, { function: 'RocketChat.getValidRoomName', channel_name: displayName });
+					throw new Meteor.Error('error-archived-duplicate-name', `There's an archived channel with name ${ cleanName }`, { function: 'RocketChat.getValidRoomName', channel_name: cleanName });
 				} else {
-					throw new Meteor.Error('error-duplicate-channel-name', `A channel with name '${ displayName }' exists`, { function: 'RocketChat.getValidRoomName', channel_name: displayName });
+					throw new Meteor.Error('error-duplicate-channel-name', `A channel with name '${ cleanName }' exists`, { function: 'RocketChat.getValidRoomName', channel_name: cleanName });
 				}
 			}
 		}
-		slugifiedName = limax(displayName);
+		slugifiedName = cleanName;
 	}

 	let nameValidation;
@ -35,9 +37,9 @@ export const getValidRoomName = (displayName, rid = '', options = {}) => {
 	}

 	if (!nameValidation.test(slugifiedName) || !validateName(slugifiedName)) {
-		throw new Meteor.Error('error-invalid-room-name', `${ slugifiedName } is not a valid room name.`, {
+		throw new Meteor.Error('error-invalid-room-name', `${ escapeHTML(slugifiedName) } is not a valid room name.`, {
 			function: 'RocketChat.getValidRoomName',
-			channel_name: slugifiedName,
+			channel_name: escapeHTML(slugifiedName),
 		});
 	}

@ -52,9 +54,9 @@ export const getValidRoomName = (displayName, rid = '', options = {}) => {
 				}
 				slugifiedName = tmpName;
 			} else if (room.archived) {
-				throw new Meteor.Error('error-archived-duplicate-name', `There's an archived channel with name ${ slugifiedName }`, { function: 'RocketChat.getValidRoomName', channel_name: slugifiedName });
+				throw new Meteor.Error('error-archived-duplicate-name', `There's an archived channel with name ${ escapeHTML(slugifiedName) }`, { function: 'RocketChat.getValidRoomName', channel_name: escapeHTML(slugifiedName) });
 			} else {
-				throw new Meteor.Error('error-duplicate-channel-name', `A channel with name '${ slugifiedName }' exists`, { function: 'RocketChat.getValidRoomName', channel_name: slugifiedName });
+				throw new Meteor.Error('error-duplicate-channel-name', `A channel with name '${ escapeHTML(slugifiedName) }' exists`, { function: 'RocketChat.getValidRoomName', channel_name: escapeHTML(slugifiedName) });
 			}
 		}
 	}
--- a/app/utils/rocketchat.info
+++ b/app/utils/rocketchat.info
@ -1,3 +1,3 @@
 {
-	"version": "3.14.1"
+	"version": "3.14.2"
 }
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "Rocket.Chat",
-  "version": "3.14.1",
+  "version": "3.14.2",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
 	"name": "Rocket.Chat",
 	"description": "The Ultimate Open Source WebChat Platform",
-	"version": "3.14.1",
+	"version": "3.14.2",
 	"author": {
 		"name": "Rocket.Chat",
 		"url": "https://rocket.chat/"
--- a/packages/meteor-jalik-ufs/ufs-methods.js
+++ b/packages/meteor-jalik-ufs/ufs-methods.js
@ -221,6 +221,17 @@ if (Meteor.isServer) {
 				throw new Meteor.Error('invalid-store', 'The store does not exist');
 			}

+			let parsedUrl;
+			try {
+				parsedUrl = new URL(url);
+			} catch (e) {
+				throw new Meteor.Error('invalid-url', 'The url is not valid');
+			}
+
+			if (['localhost', '127.0.0.1', '0.0.0.0'].includes(parsedUrl.hostname)) {
+				throw new Meteor.Error('invalid-url', 'URL cannot reference localhost');
+			}
+
 			// Extract file info
 			if (!file.name) {
 				file.name = url.replace(/\?.*$/, '').split('/').pop();