From ef0fd4b4a16d6bd423e9710bb61b086bc518b27b Mon Sep 17 00:00:00 2001
From: Tiago Evangelista Pinto <tiago.evangelista@rocket.chat>
Date: Mon, 13 Feb 2023 23:30:49 -0300
Subject: [PATCH] [FIX] NoSQL injection in listEmojiCustom Meteor method (#643)

---
 .../server/methods/listEmojiCustom.js         | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/apps/meteor/app/emoji-custom/server/methods/listEmojiCustom.js b/apps/meteor/app/emoji-custom/server/methods/listEmojiCustom.js
index a4fd124abe91..b553e5b398e4 100644
--- a/apps/meteor/app/emoji-custom/server/methods/listEmojiCustom.js
+++ b/apps/meteor/app/emoji-custom/server/methods/listEmojiCustom.js
@@ -1,8 +1,30 @@
 import { Meteor } from 'meteor/meteor';
 import { EmojiCustom } from '@rocket.chat/models';
+import { check, Match } from 'meteor/check';
+
+import { methodDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
+
+/**
+ * @deprecated Will be removed in future versions.
+ */
 
 Meteor.methods({
 	async listEmojiCustom(options = {}) {
+		methodDeprecationLogger.warn('listEmojiCustom will be removed in future versions of Rocket.Chat');
+
+		const user = Meteor.user();
+
+		if (!user) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
+				method: 'listEmojiCustom',
+			});
+		}
+
+		check(options, {
+			name: Match.Optional(String),
+			aliases: Match.Optional([String]),
+		});
+
 		return EmojiCustom.find(options).toArray();
 	},
 });