docs: add changeset

RocketChat · Sep 21, 2024 · c162dca · c162dca
1 parent 3f707fb
commit c162dca
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 3 deletions.
diff --git a/.changeset/little-bottles-peel.md b/.changeset/little-bottles-peel.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
diff --git a/apps/meteor/app/api/server/v1/rooms.ts b/apps/meteor/app/api/server/v1/rooms.ts
@@ -40,7 +40,7 @@ import {
 	findRoomsAvailableForTeams,
 } from '../lib/rooms';
 
-async function findRoomByIdOrName({
+export async function findRoomByIdOrName({
 	params,
 	checkedArchived = true,
 }: {

diff --git a/apps/meteor/app/lib/server/methods/cleanRoomHistory.ts b/apps/meteor/app/lib/server/methods/cleanRoomHistory.ts
@@ -2,6 +2,8 @@ import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { Match, check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
+import { findRoomByIdOrName } from '../../../api/server/v1/rooms';
+import { canAccessRoomAsync } from '../../../authorization/server';
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { cleanRoomHistory } from '../functions/cleanRoomHistory';
 
@@ -56,6 +58,12 @@ Meteor.methods<ServerMethods>({
 			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'cleanRoomHistory' });
 		}
 
+		const room = await findRoomByIdOrName({ params: { roomId } });
+
+		if (!room || !(await canAccessRoomAsync(room, { _id: userId }))) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'cleanRoomHistory' });
+		}
+
 		return cleanRoomHistory({
 			rid: roomId,
 			latest,

diff --git a/apps/meteor/tests/end-to-end/api/methods.ts b/apps/meteor/tests/end-to-end/api/methods.ts
@@ -616,9 +616,19 @@ describe('Meteor.methods', () => {
 
 	describe('[@cleanRoomHistory]', () => {
 		let rid: IRoom['_id'];
-
+		let testUser: IUser;
+		let testUserCredentials: Credentials;
 		let channelName: string;
 
+		before('update permissions', async () => {
+			await updatePermission('clean-channel-history', ['admin', 'user']);
+		});
+
+		before('create test user', async () => {
+			testUser = await createUser();
+			testUserCredentials = await login(testUser.username, password);
+		});
+
 		before('create room', (done) => {
 			channelName = `methods-test-channel-${Date.now()}`;
 			void request
@@ -676,7 +686,36 @@ describe('Meteor.methods', () => {
 				.end(done);
 		});
 
-		after(() => deleteRoom({ type: 'p', roomId: rid }));
+		after(() =>
+			Promise.all([deleteRoom({ type: 'p', roomId: rid }), deleteUser(testUser), updatePermission('clean-channel-history', ['admin'])]),
+		);
+
+		it('should throw an error if user is not part of the room', async () => {
+			await request
+				.post(methodCall('cleanRoomHistory'))
+				.set(testUserCredentials)
+				.send({
+					message: JSON.stringify({
+						method: 'cleanRoomHistory',
+						params: [
+							{
+								roomId: rid,
+								oldest: { $date: new Date().getTime() },
+								latest: { $date: new Date().getTime() },
+							},
+						],
+						id: 'id',
+						msg: 'method',
+					}),
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.a.property('success', true);
+					const data = JSON.parse(res.body.message);
+					expect(data).to.have.a.property('error').that.is.an('object');
+					expect(data.error).to.have.a.property('error', 'error-not-allowed');
+				});
+		});
 
 		it('should not change the _updatedAt value when nothing is changed on the room', async () => {
 			const roomBefore = await request.get(api('groups.info')).set(credentials).query({