Merge tag '3.8.8' into merge/3.8.8

.docker/Dockerfile.rhel

@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/rhscl/nodejs-8-rhel7
 
-ENV RC_VERSION 3.8.5
+ENV RC_VERSION 3.8.8
 
 MAINTAINER [email protected]
 

.github/history-manual.json

@@ -42,5 +42,12 @@
 		"contributors": [
 			"sampaiodiego"
 		]
+	}],
+	"3.8.6": [{
+		"title": "[FIX] Security Hotfix",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego"
+		]
 	}]
 }

.github/history.json

@@ -51859,6 +51859,39 @@
           ]
         }
       ]
+    },
+    "3.8.6": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.19.0",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.8.7": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.19.0",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
+    },
+    "3.8.8": {
+      "node_version": "12.18.4",
+      "npm_version": "6.14.8",
+      "apps_engine_version": "1.19.0",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0"
+      ],
+      "pull_requests": []
     }
   }
 }

.snapcraft/resources/prepareRocketChat

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-curl -SLf "https://releases.rocket.chat/3.8.5/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/3.8.8/download/" -o rocket.chat.tgz
 
 tar xf rocket.chat.tgz --strip 1
 

.snapcraft/snap/snapcraft.yaml

@@ -7,7 +7,7 @@
 # 5.  `snapcraft snap`
 
 name: rocketchat-server
-version: 3.8.5
+version: 3.8.8
 summary: Rocket.Chat server
 description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
 confinement: strict

app/api/server/v1/invites.js

@@ -1,5 +1,3 @@
-import { Meteor } from 'meteor/meteor';
-
 import { API } from '../api';
 import { findOrCreateInvite } from '../../../invites/server/functions/findOrCreateInvite';
 import { removeInvite } from '../../../invites/server/functions/removeInvite';
@@ -46,10 +44,6 @@ API.v1.addRoute('validateInviteToken', { authRequired: false }, {
 	post() {
 		const { token } = this.bodyParams;
 
-		if (!token) {
-			throw new Meteor.Error('error-invalid-token', 'The invite token is invalid.', { method: 'validateInviteToken', field: 'token' });
-		}
-
 		let valid = true;
 		try {
 			validateInviteToken(token);

app/invites/server/functions/validateInviteToken.js

@@ -3,7 +3,7 @@ import { Meteor } from 'meteor/meteor';
 import { Invites, Rooms } from '../../../models';
 
 export const validateInviteToken = (token) => {
-	if (!token) {
+	if (!token || typeof token !== 'string') {
 		throw new Meteor.Error('error-invalid-token', 'The invite token is invalid.', { method: 'validateInviteToken', field: 'token' });
 	}
 

app/lib/server/methods/getFullUserData.js

@@ -4,7 +4,14 @@ import { getFullUserData } from '../functions';
 
 Meteor.methods({
 	getFullUserData({ filter = '', username = '', limit = 1 }) {
+		console.warn('Method "getFullUserData" is deprecated and will be removed after v4.0.0');
+
+		if (!Meteor.userId()) {
+			throw new Meteor.Error('not-authorized');
+		}
+
 		const result = getFullUserData({ userId: Meteor.userId(), filter: filter || username, limit });
+
 		return result && result.fetch();
 	},
 });

app/lib/server/methods/getServerInfo.js

@@ -4,6 +4,11 @@ import { Info } from '../../../utils';
 
 Meteor.methods({
 	getServerInfo() {
+		if (!Meteor.userId()) {
+			console.warning('Method "getServerInfo" is deprecated and will be removed after v4.0.0');
+			throw new Meteor.Error('not-authorized');
+		}
+
 		return Info;
 	},
 });

app/livechat/server/methods/loadHistory.js

@@ -5,6 +5,10 @@ import { LivechatVisitors } from '../../../models';
 
 Meteor.methods({
 	'livechat:loadHistory'({ token, rid, end, limit = 20, ls }) {
+		if (!token || typeof token !== 'string') {
+			return;
+		}
+
 		const visitor = LivechatVisitors.getVisitorByToken(token, { fields: { _id: 1 } });
 
 		if (!visitor) {

app/livechat/server/methods/saveOfficeHours.js

@@ -1,10 +1,16 @@
 import { Meteor } from 'meteor/meteor';
 
+import { hasPermission } from '../../../authorization';
 import { LivechatBusinessHours } from '../../../models/server/raw';
 
 Meteor.methods({
 	'livechat:saveOfficeHours'(day, start, finish, open) {
-		console.log('Method "livechat:saveOfficeHour" is deprecated and will be removed after v4.0.0');
+		console.warn('Method "livechat:saveOfficeHour" is deprecated and will be removed after v4.0.0');
+
+		if (!Meteor.userId() || !hasPermission(Meteor.userId(), 'view-livechat-business-hours')) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'livechat:saveOfficeHours' });
+		}
+
 		LivechatBusinessHours.updateDayOfGlobalBusinessHour({
 			day,
 			start,

app/markdown/lib/parser/marked/marked.js

@@ -2,6 +2,7 @@ import { Random } from 'meteor/random';
 import _ from 'underscore';
 import s from 'underscore.string';
 import _marked from 'marked';
+import dompurify from 'dompurify';
 
 import hljs from '../../hljs';
 import { settings } from '../../../../settings';
@@ -111,5 +112,7 @@ export const marked = (message) => {
 		highlight,
 	});
 
+	msg.html = dompurify.sanitize(msg.html);
+
 	return msg;
 };

app/markdown/lib/parser/original/markdown.js

@@ -19,7 +19,17 @@ const addAsToken = function(message, html) {
 
 const URL = global.URL || require('url').URL || require('url').Url;
 
-const validateUrl = (url) => {
+const validateUrl = (url, message) => {
+	// Don't render markdown inside links
+	if (message && message.tokens && message.tokens.some((token) => url.includes(token.token))) {
+		return false;
+	}
+
+	// Valid urls don't contain whitespaces
+	if (/\s/.test(url.trim())) {
+		return false;
+	}
+
 	try {
 		new URL(url);
 		return true;
@@ -76,36 +86,37 @@ const parseNotEscaped = function(msg, message) {
 
 	// Support ![alt text](http://image url)
 	msg = msg.replace(new RegExp(`!\\[([^\\]]+)\\]\\(((?:${ schemes }):\\/\\/[^\\s]+)\\)`, 'gm'), (match, title, url) => {
-		if (!validateUrl(url)) {
+		if (!validateUrl(url, message)) {
 			return match;
 		}
+		url = encodeURI(url);
+
 		const target = url.indexOf(Meteor.absoluteUrl()) === 0 ? '' : '_blank';
 		return addAsToken(message, `<a href="${ url }" title="${ title }" target="${ target }" rel="noopener noreferrer"><div class="inline-image" style="background-image: url(${ url });"></div></a>`);
 	});
 
 	// Support [Text](http://link)
 	msg = msg.replace(new RegExp(`\\[([^\\]]+)\\]\\(((?:${ schemes }):\\/\\/[^\\s]+)\\)`, 'gm'), (match, title, url) => {
-		if (!validateUrl(url)) {
+		if (!validateUrl(url, message)) {
 			return match;
 		}
 		const target = url.indexOf(Meteor.absoluteUrl()) === 0 ? '' : '_blank';
 		title = title.replace(/&amp;/g, '&');
 
-		let escapedUrl = url;
-		escapedUrl = escapedUrl.replace(/&amp;/g, '&');
+		const escapedUrl = encodeURI(url);
 
 		return addAsToken(message, `<a href="${ escapedUrl }" target="${ target }" rel="noopener noreferrer">${ title }</a>`);
 	});
 
 	// Support <http://link|Text>
-	msg = msg.replace(new RegExp(`(?:<|&lt;)((?:${ schemes }):\\/\\/[^\\|]+)\\|(.+?)(?=>|&gt;)(?:>|&gt;)`, 'gm'), (match, url, title) => {
-		if (!validateUrl(url)) {
+	msg = msg.replace(new RegExp(`(?:<|&lt;)((?:${ schemes }):\\\/\\\/[^\\|]+)\\|(.+?)(?=>|&gt;)(?:>|&gt;)`, 'gm'), (match, url, title) => {
+		if (!validateUrl(url, message)) {
 			return match;
 		}
+		url = encodeURI(url);
 		const target = url.indexOf(Meteor.absoluteUrl()) === 0 ? '' : '_blank';
 		return addAsToken(message, `<a href="${ url }" target="${ target }" rel="noopener noreferrer">${ title }</a>`);
 	});
-
 	return msg;
 };
 

app/markdown/tests/client.tests.js

@@ -173,7 +173,7 @@ const link = {
 	'<http://invalid link|Text>': s.escapeHTML('<http://invalid link|Text>'),
 	'<http://link|Text>': linkWrapped('http://link', 'Text'),
 	'<https://open.rocket.chat/|Open Site For Rocket.Chat>': linkWrapped('https://open.rocket.chat/', 'Open Site For Rocket.Chat'),
-	'<https://open.rocket.chat/ | Open Site For Rocket.Chat>': linkWrapped('https://open.rocket.chat/ ', ' Open Site For Rocket.Chat'),
+	'<https://open.rocket.chat/ | Open Site For Rocket.Chat>': linkWrapped(encodeURI('https://open.rocket.chat/ '), ' Open Site For Rocket.Chat'),
 	'<https://rocket.chat/|Rocket.Chat Site>': linkWrapped('https://rocket.chat/', 'Rocket.Chat Site'),
 	'<https://rocket.chat/docs/developer-guides/testing/#testing|Testing Entry on Rocket.Chat Docs Site>': linkWrapped('https://rocket.chat/docs/developer-guides/testing/#testing', 'Testing Entry on Rocket.Chat Docs Site'),
 	'<http://linkText>': s.escapeHTML('<http://linkText>'),
@@ -200,7 +200,7 @@ const link = {
 	'[Rocket.Chat Site](tps://rocket.chat/)': '[Rocket.Chat Site](tps://rocket.chat/)',
 	'[Open Site For Rocket.Chat](open.rocket.chat/)': '[Open Site For Rocket.Chat](open.rocket.chat/)',
 	'[Testing Entry on Rocket.Chat Docs Site](htts://rocket.chat/docs/developer-guides/testing/#testing)': '[Testing Entry on Rocket.Chat Docs Site](htts://rocket.chat/docs/developer-guides/testing/#testing)',
-	'[Text](http://link?param1=1&param2=2)': linkWrapped('http://link?param1=1&param2=2', 'Text'),
+	'[Text](http://link?param1=1&param2=2)': linkWrapped('http://link?param1=1&amp;param2=2', 'Text'),
 	'[Testing Double parentheses](https://en.wikipedia.org/wiki/Disambiguation_(disambiguation))': linkWrapped('https://en.wikipedia.org/wiki/Disambiguation_(disambiguation)', 'Testing Double parentheses'),
 	'[Testing data after Double parentheses](https://en.wikipedia.org/wiki/Disambiguation_(disambiguation)/blabla/bla)': linkWrapped('https://en.wikipedia.org/wiki/Disambiguation_(disambiguation)/blabla/bla', 'Testing data after Double parentheses'),
 };

app/message-mark-as-unread/server/unreadMessages.js

@@ -12,7 +12,7 @@ Meteor.methods({
 			});
 		}
 
-		if (room) {
+		if (room && typeof room === 'string') {
 			const lastMessage = Messages.findVisibleByRoomId(room, { limit: 1, sort: { ts: -1 } }).fetch()[0];
 
 			if (lastMessage == null) {
@@ -25,6 +25,13 @@ Meteor.methods({
 			return Subscriptions.setAsUnreadByRoomIdAndUserId(lastMessage.rid, userId, lastMessage.ts);
 		}
 
+		if (typeof firstUnreadMessage?._id !== 'string') {
+			throw new Meteor.Error('error-action-not-allowed', 'Not allowed', {
+				method: 'unreadMessages',
+				action: 'Unread_messages',
+			});
+		}
+
 		const originalMessage = Messages.findOneById(firstUnreadMessage._id, {
 			fields: {
 				u: 1,

app/message-pin/client/pinMessage.js

@@ -19,9 +19,14 @@ Meteor.methods({
 			toastr.error(TAPi18n.__('error-pinning-message'));
 			return false;
 		}
+		if (typeof message._id !== 'string') {
+			toastr.error(TAPi18n.__('error-pinning-message'));
+			return false;
+		}
 		toastr.success(TAPi18n.__('Message_has_been_pinned'));
 		return ChatMessage.update({
 			_id: message._id,
+			rid: message.rid,
 		}, {
 			$set: {
 				pinned: true,
@@ -41,9 +46,14 @@ Meteor.methods({
 			toastr.error(TAPi18n.__('error-unpinning-message'));
 			return false;
 		}
+		if (typeof message._id !== 'string') {
+			toastr.error(TAPi18n.__('error-unpinning-message'));
+			return false;
+		}
 		toastr.success(TAPi18n.__('Message_has_been_unpinned'));
 		return ChatMessage.update({
 			_id: message._id,
+			rid: message.rid,
 		}, {
 			$set: {
 				pinned: false,