[FIX] NoSQL injection in listEmojiCustom Meteor method (#643)

RocketChat · Feb 14, 2023 · ef0fd4b · ef0fd4b
1 parent 31f0e01
commit ef0fd4b
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/apps/meteor/app/emoji-custom/server/methods/listEmojiCustom.js b/apps/meteor/app/emoji-custom/server/methods/listEmojiCustom.js
@@ -1,8 +1,30 @@
 import { Meteor } from 'meteor/meteor';
 import { EmojiCustom } from '@rocket.chat/models';
+import { check, Match } from 'meteor/check';
+
+import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
+
+/**
+ * @deprecated Will be removed in future versions.
+ */
 
 Meteor.methods({
 	async listEmojiCustom(options = {}) {
+		methodDeprecationLogger.warn('listEmojiCustom will be removed in future versions of Rocket.Chat');
+
+		const user = Meteor.user();
+
+		if (!user) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
+				method: 'listEmojiCustom',
+			});
+		}
+
+		check(options, {
+			name: Match.Optional(String),
+			aliases: Match.Optional([String]),
+		});
+
 		return EmojiCustom.find(options).toArray();
 	},
 });