fix: security hotfix

RocketChat · Sep 20, 2024 · 3f707fb · 3f707fb
1 parent 65d2a45
commit 3f707fb
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 2 deletions.
diff --git a/apps/meteor/app/api/server/v1/rooms.ts b/apps/meteor/app/api/server/v1/rooms.ts
@@ -365,7 +365,12 @@ API.v1.addRoute(
 	{ authRequired: true, validateParams: isRoomsCleanHistoryProps },
 	{
 		async post() {
-			const { _id } = await findRoomByIdOrName({ params: this.bodyParams });
+			const room = await findRoomByIdOrName({ params: this.bodyParams });
+			const { _id } = room;
+
+			if (!room || !(await canAccessRoomAsync(room, { _id: this.userId }))) {
+				return API.v1.failure('User does not have access to the room [error-not-allowed]', 'error-not-allowed');
+			}
 
 			const {
 				latest,

diff --git a/apps/meteor/client/components/message/content/urlPreviews/OEmbedHtmlPreview.tsx b/apps/meteor/client/components/message/content/urlPreviews/OEmbedHtmlPreview.tsx
@@ -1,12 +1,21 @@
 import { Box } from '@rocket.chat/fuselage';
+import DOMPurify from 'dompurify';
 import type { ReactElement } from 'react';
 import React from 'react';
 
 import OEmbedCollapsible from './OEmbedCollapsible';
 import type { OEmbedPreviewMetadata } from './OEmbedPreviewMetadata';
 
+const purifyOptions = {
+	ADD_TAGS: ['iframe'],
+	ADD_ATTR: ['frameborder', 'allow', 'allowfullscreen', 'scrolling', 'src', 'style', 'referrerpolicy'],
+	ALLOW_UNKNOWN_PROTOCOLS: true,
+};
+
 const OEmbedHtmlPreview = ({ html, ...props }: OEmbedPreviewMetadata): ReactElement => (
-	<OEmbedCollapsible {...props}>{html && <Box withRichContent dangerouslySetInnerHTML={{ __html: html }} />}</OEmbedCollapsible>
+	<OEmbedCollapsible {...props}>
+		{html && <Box withRichContent dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html, purifyOptions) }} />}
+	</OEmbedCollapsible>
 );
 
 export default OEmbedHtmlPreview;
diff --git a/apps/meteor/tests/end-to-end/api/rooms.ts b/apps/meteor/tests/end-to-end/api/rooms.ts
@@ -1133,6 +1133,34 @@ describe('[Rooms]', () => {
 				})
 				.end(done);
 		});
+		describe('test user is not part of room', async () => {
+			beforeEach(async () => {
+				await updatePermission('clean-channel-history', ['admin', 'user']);
+			});
+
+			afterEach(async () => {
+				await updatePermission('clean-channel-history', ['admin']);
+			});
+
+			it('should return an error when the user with right privileges is not part of the room', async () => {
+				await request
+					.post(api('rooms.cleanHistory'))
+					.set(userCredentials)
+					.send({
+						roomId: privateChannel._id,
+						latest: '9999-12-31T23:59:59.000Z',
+						oldest: '0001-01-01T00:00:00.000Z',
+						limit: 2000,
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('errorType', 'error-not-allowed');
+						expect(res.body).to.have.property('error', 'User does not have access to the room [error-not-allowed]');
+					});
+			});
+		});
 	});
 	describe('[/rooms.info]', () => {
 		let testChannel: IRoom;