diff --git a/.docker/Dockerfile.rhel b/.docker/Dockerfile.rhel
index fdfe6ddb403b..a21c1a283cb8 100644
--- a/.docker/Dockerfile.rhel
+++ b/.docker/Dockerfile.rhel
@@ -1,6 +1,6 @@
FROM registry.access.redhat.com/rhscl/nodejs-8-rhel7
-ENV RC_VERSION 3.8.5
+ENV RC_VERSION 3.8.8
MAINTAINER buildmaster@rocket.chat
diff --git a/.github/history-manual.json b/.github/history-manual.json
index 0bc1165af8f8..0ac6c0368f7b 100644
--- a/.github/history-manual.json
+++ b/.github/history-manual.json
@@ -42,5 +42,12 @@
"contributors": [
"sampaiodiego"
]
+ }],
+ "3.8.6": [{
+ "title": "[FIX] Security Hotfix",
+ "userLogin": "sampaiodiego",
+ "contributors": [
+ "sampaiodiego"
+ ]
}]
}
diff --git a/.github/history.json b/.github/history.json
index 8e039d8f7f93..162cfce09230 100644
--- a/.github/history.json
+++ b/.github/history.json
@@ -51859,6 +51859,39 @@
]
}
]
+ },
+ "3.8.6": {
+ "node_version": "12.18.4",
+ "npm_version": "6.14.8",
+ "apps_engine_version": "1.19.0",
+ "mongo_versions": [
+ "3.4",
+ "3.6",
+ "4.0"
+ ],
+ "pull_requests": []
+ },
+ "3.8.7": {
+ "node_version": "12.18.4",
+ "npm_version": "6.14.8",
+ "apps_engine_version": "1.19.0",
+ "mongo_versions": [
+ "3.4",
+ "3.6",
+ "4.0"
+ ],
+ "pull_requests": []
+ },
+ "3.8.8": {
+ "node_version": "12.18.4",
+ "npm_version": "6.14.8",
+ "apps_engine_version": "1.19.0",
+ "mongo_versions": [
+ "3.4",
+ "3.6",
+ "4.0"
+ ],
+ "pull_requests": []
}
}
}
\ No newline at end of file
diff --git a/.snapcraft/resources/prepareRocketChat b/.snapcraft/resources/prepareRocketChat
index 3d6ace38de16..d7fcc7db67d3 100755
--- a/.snapcraft/resources/prepareRocketChat
+++ b/.snapcraft/resources/prepareRocketChat
@@ -1,6 +1,6 @@
#!/bin/bash
-curl -SLf "https://releases.rocket.chat/3.8.5/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/3.8.8/download/" -o rocket.chat.tgz
tar xf rocket.chat.tgz --strip 1
diff --git a/.snapcraft/snap/snapcraft.yaml b/.snapcraft/snap/snapcraft.yaml
index 1c0dfc0a1e1b..0ff0a528efad 100644
--- a/.snapcraft/snap/snapcraft.yaml
+++ b/.snapcraft/snap/snapcraft.yaml
@@ -7,7 +7,7 @@
# 5. `snapcraft snap`
name: rocketchat-server
-version: 3.8.5
+version: 3.8.8
summary: Rocket.Chat server
description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
confinement: strict
diff --git a/HISTORY.md b/HISTORY.md
index 52ed08fc8288..296e3d998dee 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,4 +1,22 @@
+# 3.8.6
+`2021-01-26 Β· 1 π Β· 1 π©βπ»π¨βπ»`
+
+### Engine versions
+- Node: `12.18.4`
+- NPM: `6.14.8`
+- MongoDB: `3.4, 3.6, 4.0`
+- Apps-Engine: `1.19.0`
+
+### π Bug fixes
+
+
+- Security Hotfix
+
+### π©βπ»π¨βπ» Core Team π€
+
+- [@sampaiodiego](https://github.com/sampaiodiego)
+
# 3.8.5
`2020-12-31 Β· 1 π Β· 1 π©βπ»π¨βπ»`
@@ -1544,7 +1562,7 @@
- **API:** Endpoint `settings.addCustomOAuth` to create Custom OAuth services ([#14912](https://github.com/RocketChat/Rocket.Chat/pull/14912) by [@g-rauhoeft](https://github.com/g-rauhoeft))
-- **API:** New endpoints to manage User Custom Status `custom-user-status.create`, custom-user-status.delete` and `custom-user-status.update` ([#16550](https://github.com/RocketChat/Rocket.Chat/pull/16550))
+- **API:** New endpoints to manage User Custom Status `custom-user-status.create`, custom-user-status.delete` and `custom-user-status.update` ([#16550](https://github.com/RocketChat/Rocket.Chat/pull/16550) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- **ENTERPRISE:** Download engagement data ([#17920](https://github.com/RocketChat/Rocket.Chat/pull/17920))
@@ -1562,7 +1580,7 @@
- Blocked Media Types setting ([#17617](https://github.com/RocketChat/Rocket.Chat/pull/17617))
-- Highlight matching words in message search results ([#16166](https://github.com/RocketChat/Rocket.Chat/pull/16166))
+- Highlight matching words in message search results ([#16166](https://github.com/RocketChat/Rocket.Chat/pull/16166) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Make ldap avatar source field customizable ([#12958](https://github.com/RocketChat/Rocket.Chat/pull/12958) by [@alexbartsch](https://github.com/alexbartsch))
@@ -1666,7 +1684,7 @@
- Missing i18n key for setting: Verify Email for External Accounts ([#18002](https://github.com/RocketChat/Rocket.Chat/pull/18002))
-- Missing pinned icon indicator for messages pinned ([#16448](https://github.com/RocketChat/Rocket.Chat/pull/16448))
+- Missing pinned icon indicator for messages pinned ([#16448](https://github.com/RocketChat/Rocket.Chat/pull/16448) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Missing User when forwarding Omnichannel conversations via Apps-Engine ([#17918](https://github.com/RocketChat/Rocket.Chat/pull/17918))
@@ -1674,7 +1692,7 @@
- No rotate option, to prevent image quality loss ([#15196](https://github.com/RocketChat/Rocket.Chat/pull/15196) by [@stleitner](https://github.com/stleitner))
-- No Way to Display Password Policy on Password Reset Screen ([#16400](https://github.com/RocketChat/Rocket.Chat/pull/16400))
+- No Way to Display Password Policy on Password Reset Screen ([#16400](https://github.com/RocketChat/Rocket.Chat/pull/16400) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Not possible to translate the label of custom fields in user's Info ([#15595](https://github.com/RocketChat/Rocket.Chat/pull/15595) by [@antkaz](https://github.com/antkaz))
@@ -1700,7 +1718,7 @@
- Update AmazonS3 file upload with error handling and sync operation ([#10372](https://github.com/RocketChat/Rocket.Chat/pull/10372) by [@madhavmalhotra3089](https://github.com/madhavmalhotra3089))
-- User can resend email verification if email is invalid or is empty ([#16095](https://github.com/RocketChat/Rocket.Chat/pull/16095))
+- User can resend email verification if email is invalid or is empty ([#16095](https://github.com/RocketChat/Rocket.Chat/pull/16095) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- User is prompted to reset their password when logging with OAuth ([#18001](https://github.com/RocketChat/Rocket.Chat/pull/18001))
@@ -1836,6 +1854,7 @@
- [@Siedlerchr](https://github.com/Siedlerchr)
- [@alexbartsch](https://github.com/alexbartsch)
- [@antkaz](https://github.com/antkaz)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@aviral243](https://github.com/aviral243)
- [@bhardwajaditya](https://github.com/bhardwajaditya)
- [@c0dzilla](https://github.com/c0dzilla)
@@ -1867,7 +1886,6 @@
- [@MartinSchoeler](https://github.com/MartinSchoeler)
- [@Sing-Li](https://github.com/Sing-Li)
- [@alansikora](https://github.com/alansikora)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@engelgabriel](https://github.com/engelgabriel)
- [@gabriellsh](https://github.com/gabriellsh)
@@ -2133,7 +2151,7 @@
- Omnichannel room priorities system messages were create on every saved room info ([#17479](https://github.com/RocketChat/Rocket.Chat/pull/17479) by [@MarcosSpessatto](https://github.com/MarcosSpessatto))
-- Password reset/change accepting current password as new password ([#16331](https://github.com/RocketChat/Rocket.Chat/pull/16331))
+- Password reset/change accepting current password as new password ([#16331](https://github.com/RocketChat/Rocket.Chat/pull/16331) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Push settings enabled when push gateway is selected ([#17582](https://github.com/RocketChat/Rocket.Chat/pull/17582))
@@ -2268,6 +2286,7 @@
- [@MarcosSpessatto](https://github.com/MarcosSpessatto)
- [@Nikhil713](https://github.com/Nikhil713)
- [@TaimurAzhar](https://github.com/TaimurAzhar)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@dependabot[bot]](https://github.com/dependabot[bot])
- [@djorkaeffalexandre](https://github.com/djorkaeffalexandre)
- [@dudizilla](https://github.com/dudizilla)
@@ -2292,7 +2311,6 @@
### π©βπ»π¨βπ» Core Team π€
- [@MartinSchoeler](https://github.com/MartinSchoeler)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@engelgabriel](https://github.com/engelgabriel)
- [@gabriellsh](https://github.com/gabriellsh)
@@ -2466,7 +2484,7 @@
- Redesign Administration > Import ([#17289](https://github.com/RocketChat/Rocket.Chat/pull/17289))
-- User gets UI feedback when message is pinned or unpinned ([#16056](https://github.com/RocketChat/Rocket.Chat/pull/16056))
+- User gets UI feedback when message is pinned or unpinned ([#16056](https://github.com/RocketChat/Rocket.Chat/pull/16056) by [@ashwaniYDV](https://github.com/ashwaniYDV))
### π Bug fixes
@@ -2477,7 +2495,7 @@
- 404 error when clicking an username ([#17275](https://github.com/RocketChat/Rocket.Chat/pull/17275))
-- Admin panel custom sounds, multiple sound playback fix and added single play/pause button ([#16215](https://github.com/RocketChat/Rocket.Chat/pull/16215))
+- Admin panel custom sounds, multiple sound playback fix and added single play/pause button ([#16215](https://github.com/RocketChat/Rocket.Chat/pull/16215) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Allow Screensharing in BBB Iframe ([#17290](https://github.com/RocketChat/Rocket.Chat/pull/17290) by [@wolbernd](https://github.com/wolbernd))
@@ -2495,17 +2513,17 @@
- Email not verified message ([#16236](https://github.com/RocketChat/Rocket.Chat/pull/16236))
-- Fixed email sort button in directory -> users ([#16606](https://github.com/RocketChat/Rocket.Chat/pull/16606))
+- Fixed email sort button in directory -> users ([#16606](https://github.com/RocketChat/Rocket.Chat/pull/16606) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Global event click-message-link not fired ([#16771](https://github.com/RocketChat/Rocket.Chat/pull/16771))
- Import slack's multiple direct messages as direct rooms instead of private groups ([#17206](https://github.com/RocketChat/Rocket.Chat/pull/17206))
-- In Create a New Channel, input should be focused on channel name instead of invite users ([#16405](https://github.com/RocketChat/Rocket.Chat/pull/16405))
+- In Create a New Channel, input should be focused on channel name instead of invite users ([#16405](https://github.com/RocketChat/Rocket.Chat/pull/16405) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- LDAP users lose session on refresh ([#17302](https://github.com/RocketChat/Rocket.Chat/pull/17302))
-- No maxlength(120) defined for custom user status ([#16534](https://github.com/RocketChat/Rocket.Chat/pull/16534))
+- No maxlength(120) defined for custom user status ([#16534](https://github.com/RocketChat/Rocket.Chat/pull/16534) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Omnichannel SMS / WhatsApp integration errors due to missing location data ([#17288](https://github.com/RocketChat/Rocket.Chat/pull/17288))
@@ -2513,7 +2531,7 @@
- Prevent user from getting stuck on login, if there is some bad fname ([#17331](https://github.com/RocketChat/Rocket.Chat/pull/17331))
-- Red color error outline is not removed after password update on profile details ([#16536](https://github.com/RocketChat/Rocket.Chat/pull/16536))
+- Red color error outline is not removed after password update on profile details ([#16536](https://github.com/RocketChat/Rocket.Chat/pull/16536) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Remove properties from users.info response ([#17238](https://github.com/RocketChat/Rocket.Chat/pull/17238) by [@MarcosSpessatto](https://github.com/MarcosSpessatto))
@@ -2592,6 +2610,7 @@
- [@Nikhil713](https://github.com/Nikhil713)
- [@RavenSystem](https://github.com/RavenSystem)
- [@aKn1ghtOut](https://github.com/aKn1ghtOut)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@benkroeger](https://github.com/benkroeger)
- [@c0dzilla](https://github.com/c0dzilla)
- [@dependabot[bot]](https://github.com/dependabot[bot])
@@ -2611,7 +2630,6 @@
- [@MartinSchoeler](https://github.com/MartinSchoeler)
- [@alansikora](https://github.com/alansikora)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@gabriellsh](https://github.com/gabriellsh)
- [@ggazzo](https://github.com/ggazzo)
@@ -2775,7 +2793,7 @@
- Open the Visitor Info panel automatically when the agent enters an Omnichannel room ([#16496](https://github.com/RocketChat/Rocket.Chat/pull/16496))
-- Route to get updated roles after a date ([#16610](https://github.com/RocketChat/Rocket.Chat/pull/16610) by [@MarcosSpessatto](https://github.com/MarcosSpessatto))
+- Route to get updated roles after a date ([#16610](https://github.com/RocketChat/Rocket.Chat/pull/16610) by [@MarcosSpessatto](https://github.com/MarcosSpessatto) & [@ashwaniYDV](https://github.com/ashwaniYDV))
- SAML config to allow clock drift ([#16751](https://github.com/RocketChat/Rocket.Chat/pull/16751) by [@localguru](https://github.com/localguru))
@@ -2805,9 +2823,9 @@
- Add option to require authentication on user's shield endpoint ([#16845](https://github.com/RocketChat/Rocket.Chat/pull/16845) by [@MarcosSpessatto](https://github.com/MarcosSpessatto))
-- Added autofocus to Directory ([#16217](https://github.com/RocketChat/Rocket.Chat/pull/16217))
+- Added autofocus to Directory ([#16217](https://github.com/RocketChat/Rocket.Chat/pull/16217) by [@ashwaniYDV](https://github.com/ashwaniYDV))
-- Added timer in video message recorder ([#16221](https://github.com/RocketChat/Rocket.Chat/pull/16221))
+- Added timer in video message recorder ([#16221](https://github.com/RocketChat/Rocket.Chat/pull/16221) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Allow login of non LDAP users when LDAP is enabled ([#16949](https://github.com/RocketChat/Rocket.Chat/pull/16949))
@@ -2817,7 +2835,7 @@
- Contextual bar autofocus ([#16915](https://github.com/RocketChat/Rocket.Chat/pull/16915))
-- Displays `Nothing found` on admin sidebar when search returns nothing ([#16255](https://github.com/RocketChat/Rocket.Chat/pull/16255))
+- Displays `Nothing found` on admin sidebar when search returns nothing ([#16255](https://github.com/RocketChat/Rocket.Chat/pull/16255) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Fallback content-type as application/octet-stream for FileSystem uploads ([#16776](https://github.com/RocketChat/Rocket.Chat/pull/16776) by [@georgmu](https://github.com/georgmu))
@@ -2839,14 +2857,14 @@
- Tab Bar actions reorder ([#17072](https://github.com/RocketChat/Rocket.Chat/pull/17072))
-- Use `rocket.cat` as default bot If `InternalHubot_Username` is undefined ([#16371](https://github.com/RocketChat/Rocket.Chat/pull/16371))
+- Use `rocket.cat` as default bot If `InternalHubot_Username` is undefined ([#16371](https://github.com/RocketChat/Rocket.Chat/pull/16371) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- User gets feedback when a message has been starred or unstarred ([#13860](https://github.com/RocketChat/Rocket.Chat/pull/13860) by [@fliptrail](https://github.com/fliptrail))
### π Bug fixes
-- "Jump to message" is rendered twice when message is starred. ([#16170](https://github.com/RocketChat/Rocket.Chat/pull/16170))
+- "Jump to message" is rendered twice when message is starred. ([#16170](https://github.com/RocketChat/Rocket.Chat/pull/16170) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- `users.setStatus` API was ignoring the user from params when trying to set status of other users ([#16128](https://github.com/RocketChat/Rocket.Chat/pull/16128) by [@MarcosSpessatto](https://github.com/MarcosSpessatto) & [@rm-yakovenko](https://github.com/rm-yakovenko))
@@ -2896,9 +2914,9 @@
- Federation Event ROOM_ADD_USER not being dispatched ([#16878](https://github.com/RocketChat/Rocket.Chat/pull/16878) by [@1rV1N-git](https://github.com/1rV1N-git))
-- File uploads out of threads are not visible in regular message view ([#16416](https://github.com/RocketChat/Rocket.Chat/pull/16416))
+- File uploads out of threads are not visible in regular message view ([#16416](https://github.com/RocketChat/Rocket.Chat/pull/16416) by [@ashwaniYDV](https://github.com/ashwaniYDV))
-- Flextab information is not working when clicking on visitor or agent username in Omnichannel messages ([#16797](https://github.com/RocketChat/Rocket.Chat/pull/16797))
+- Flextab information is not working when clicking on visitor or agent username in Omnichannel messages ([#16797](https://github.com/RocketChat/Rocket.Chat/pull/16797) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- ie11 support ([#16682](https://github.com/RocketChat/Rocket.Chat/pull/16682))
@@ -2938,7 +2956,7 @@
- Prune message saying `files deleted` and `messages deleted` even when singular message or file in prune ([#16322](https://github.com/RocketChat/Rocket.Chat/pull/16322) by [@ritwizsinha](https://github.com/ritwizsinha))
-- Public channel cannot be accessed via URL when 'Allow Anonymous Read' is active ([#16914](https://github.com/RocketChat/Rocket.Chat/pull/16914))
+- Public channel cannot be accessed via URL when 'Allow Anonymous Read' is active ([#16914](https://github.com/RocketChat/Rocket.Chat/pull/16914) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Race conditions on/before login ([#16989](https://github.com/RocketChat/Rocket.Chat/pull/16989))
@@ -2950,7 +2968,7 @@
- Regression: New 'app' role with no permissions when updating to 3.0.0 ([#16637](https://github.com/RocketChat/Rocket.Chat/pull/16637))
-- Remove Reply in DM from Omnichannel rooms ([#16957](https://github.com/RocketChat/Rocket.Chat/pull/16957))
+- Remove Reply in DM from Omnichannel rooms ([#16957](https://github.com/RocketChat/Rocket.Chat/pull/16957) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Remove spaces from i18n placeholders to show Personal access token ([#16724](https://github.com/RocketChat/Rocket.Chat/pull/16724) by [@harakiwi1](https://github.com/harakiwi1))
@@ -2960,7 +2978,7 @@
- SAML login errors not showing on UI ([#17219](https://github.com/RocketChat/Rocket.Chat/pull/17219))
-- Show error message if password and confirm password not equal ([#16247](https://github.com/RocketChat/Rocket.Chat/pull/16247))
+- Show error message if password and confirm password not equal ([#16247](https://github.com/RocketChat/Rocket.Chat/pull/16247) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Slackbridge-import command doesn't work ([#16645](https://github.com/RocketChat/Rocket.Chat/pull/16645) by [@antkaz](https://github.com/antkaz))
@@ -2970,7 +2988,7 @@
- Text formatted to remain within button even on screen resize ([#14136](https://github.com/RocketChat/Rocket.Chat/pull/14136) by [@Rodriq](https://github.com/Rodriq))
-- There is no option to pin a thread message by admin ([#16457](https://github.com/RocketChat/Rocket.Chat/pull/16457))
+- There is no option to pin a thread message by admin ([#16457](https://github.com/RocketChat/Rocket.Chat/pull/16457) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- TypeError when trying to load avatar of an invalid room. ([#16699](https://github.com/RocketChat/Rocket.Chat/pull/16699))
@@ -3046,7 +3064,7 @@
- Fix: Console error on login ([#16704](https://github.com/RocketChat/Rocket.Chat/pull/16704))
-- Fix: Correctly aligned input element of custom user status component ([#16151](https://github.com/RocketChat/Rocket.Chat/pull/16151))
+- Fix: Correctly aligned input element of custom user status component ([#16151](https://github.com/RocketChat/Rocket.Chat/pull/16151) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Fix: Error message on startup of multiple instances related to the metricsβ server ([#17152](https://github.com/RocketChat/Rocket.Chat/pull/17152))
@@ -3062,13 +3080,13 @@
- Fix: Padding required in the Facebook Messenger option in Livechat ([#16202](https://github.com/RocketChat/Rocket.Chat/pull/16202) by [@ritwizsinha](https://github.com/ritwizsinha))
-- Fix: Removed some hardcoded texts ([#16304](https://github.com/RocketChat/Rocket.Chat/pull/16304))
+- Fix: Removed some hardcoded texts ([#16304](https://github.com/RocketChat/Rocket.Chat/pull/16304) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Fix: StreamCast was not working correctly ([#16983](https://github.com/RocketChat/Rocket.Chat/pull/16983))
- Fixed Line break incorrectly being called apostrophe in code ([#16918](https://github.com/RocketChat/Rocket.Chat/pull/16918) by [@aKn1ghtOut](https://github.com/aKn1ghtOut))
-- Fixed translate variable in UnarchiveRoom Modal ([#16310](https://github.com/RocketChat/Rocket.Chat/pull/16310))
+- Fixed translate variable in UnarchiveRoom Modal ([#16310](https://github.com/RocketChat/Rocket.Chat/pull/16310) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Improve room types usage ([#16753](https://github.com/RocketChat/Rocket.Chat/pull/16753))
@@ -3086,7 +3104,7 @@
- New Troubleshoot section for disabling features ([#17114](https://github.com/RocketChat/Rocket.Chat/pull/17114))
-- Redirected to home when a room has been deleted instead of getting broken link(blank page) of deleted room ([#16227](https://github.com/RocketChat/Rocket.Chat/pull/16227))
+- Redirected to home when a room has been deleted instead of getting broken link(blank page) of deleted room ([#16227](https://github.com/RocketChat/Rocket.Chat/pull/16227) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Reduce notifyUser propagation ([#17088](https://github.com/RocketChat/Rocket.Chat/pull/17088))
@@ -3178,6 +3196,7 @@
- [@aKn1ghtOut](https://github.com/aKn1ghtOut)
- [@antkaz](https://github.com/antkaz)
- [@aryamanpuri](https://github.com/aryamanpuri)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@col-panic](https://github.com/col-panic)
- [@dependabot[bot]](https://github.com/dependabot[bot])
- [@djorkaeffalexandre](https://github.com/djorkaeffalexandre)
@@ -3201,7 +3220,6 @@
- [@PrajvalRaval](https://github.com/PrajvalRaval)
- [@Sing-Li](https://github.com/Sing-Li)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@engelgabriel](https://github.com/engelgabriel)
- [@gabriellsh](https://github.com/gabriellsh)
@@ -3691,7 +3709,7 @@
- Login change language button ([#16085](https://github.com/RocketChat/Rocket.Chat/pull/16085) by [@mariaeduardacunha](https://github.com/mariaeduardacunha))
-- Mail Msg Cancel button not closing the flexbar ([#16263](https://github.com/RocketChat/Rocket.Chat/pull/16263))
+- Mail Msg Cancel button not closing the flexbar ([#16263](https://github.com/RocketChat/Rocket.Chat/pull/16263) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Missing edited icon in newly created messages ([#16484](https://github.com/RocketChat/Rocket.Chat/pull/16484))
@@ -3709,7 +3727,7 @@
- SafePorts: Ports 80, 8080 & 443 linked to respective protocols (#16108) ([#16108](https://github.com/RocketChat/Rocket.Chat/pull/16108))
-- Save password without confirmation ([#16060](https://github.com/RocketChat/Rocket.Chat/pull/16060))
+- Save password without confirmation ([#16060](https://github.com/RocketChat/Rocket.Chat/pull/16060) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Send message with pending messages ([#16474](https://github.com/RocketChat/Rocket.Chat/pull/16474))
@@ -3717,7 +3735,7 @@
- Slack CSV User Importer ([#16253](https://github.com/RocketChat/Rocket.Chat/pull/16253))
-- The "click to load" text is hard-coded and not translated. ([#16142](https://github.com/RocketChat/Rocket.Chat/pull/16142))
+- The "click to load" text is hard-coded and not translated. ([#16142](https://github.com/RocketChat/Rocket.Chat/pull/16142) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Thread message icon overlapping text ([#16083](https://github.com/RocketChat/Rocket.Chat/pull/16083))
@@ -3838,6 +3856,7 @@
- [@Cool-fire](https://github.com/Cool-fire)
- [@MarcosSpessatto](https://github.com/MarcosSpessatto)
- [@antkaz](https://github.com/antkaz)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@aviral243](https://github.com/aviral243)
- [@mariaeduardacunha](https://github.com/mariaeduardacunha)
- [@mrsimpson](https://github.com/mrsimpson)
@@ -3848,7 +3867,6 @@
- [@LuluGO](https://github.com/LuluGO)
- [@MartinSchoeler](https://github.com/MartinSchoeler)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@gabriellsh](https://github.com/gabriellsh)
- [@geekgonecrazy](https://github.com/geekgonecrazy)
@@ -4280,7 +4298,7 @@
- Guest's name field missing when forwarding livechat rooms ([#15991](https://github.com/RocketChat/Rocket.Chat/pull/15991))
-- Importer: Variable name appearing instead of it's value ([#16010](https://github.com/RocketChat/Rocket.Chat/pull/16010))
+- Importer: Variable name appearing instead of it's value ([#16010](https://github.com/RocketChat/Rocket.Chat/pull/16010) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Incorrect translation key on Livechat Appearance template ([#15975](https://github.com/RocketChat/Rocket.Chat/pull/15975) by [@ritwizsinha](https://github.com/ritwizsinha))
@@ -4358,6 +4376,7 @@
- [@MarcosSpessatto](https://github.com/MarcosSpessatto)
- [@antkaz](https://github.com/antkaz)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@breaking-let](https://github.com/breaking-let)
- [@iannuzzelli](https://github.com/iannuzzelli)
- [@localguru](https://github.com/localguru)
@@ -4370,7 +4389,6 @@
### π©βπ»π¨βπ» Core Team π€
- [@MartinSchoeler](https://github.com/MartinSchoeler)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@gabriellsh](https://github.com/gabriellsh)
- [@geekgonecrazy](https://github.com/geekgonecrazy)
@@ -6208,7 +6226,7 @@
- [Fix] broken logo url in app.json ([#14572](https://github.com/RocketChat/Rocket.Chat/pull/14572) by [@jaredmoody](https://github.com/jaredmoody))
-- [IMPROVEMENT] Add tooltip to to notify user the purpose of back button in discussion ([#13872](https://github.com/RocketChat/Rocket.Chat/pull/13872))
+- [IMPROVEMENT] Add tooltip to to notify user the purpose of back button in discussion ([#13872](https://github.com/RocketChat/Rocket.Chat/pull/13872) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- [IMPROVEMENT] Don't group messages with different alias ([#14257](https://github.com/RocketChat/Rocket.Chat/pull/14257) by [@jungeonkim](https://github.com/jungeonkim))
@@ -6285,6 +6303,7 @@
- [@Kailash0311](https://github.com/Kailash0311)
- [@MarcosSpessatto](https://github.com/MarcosSpessatto)
- [@arminfelder](https://github.com/arminfelder)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@bhardwajaditya](https://github.com/bhardwajaditya)
- [@gsunit](https://github.com/gsunit)
- [@jaredmoody](https://github.com/jaredmoody)
@@ -6302,7 +6321,6 @@
### π©βπ»π¨βπ» Core Team π€
- [@alansikora](https://github.com/alansikora)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@engelgabriel](https://github.com/engelgabriel)
- [@geekgonecrazy](https://github.com/geekgonecrazy)
@@ -6744,7 +6762,7 @@
- Improve cloud section ([#13820](https://github.com/RocketChat/Rocket.Chat/pull/13820))
-- In home screen Rocket.Chat+ is dispalyed as Rocket.Chat ([#13784](https://github.com/RocketChat/Rocket.Chat/pull/13784))
+- In home screen Rocket.Chat+ is dispalyed as Rocket.Chat ([#13784](https://github.com/RocketChat/Rocket.Chat/pull/13784) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Legal pages' style ([#13677](https://github.com/RocketChat/Rocket.Chat/pull/13677))
@@ -6932,7 +6950,7 @@
- Added federation ping, loopback and dashboard ([#14007](https://github.com/RocketChat/Rocket.Chat/pull/14007))
-- Adds French translation of Personal Access Token ([#13779](https://github.com/RocketChat/Rocket.Chat/pull/13779))
+- Adds French translation of Personal Access Token ([#13779](https://github.com/RocketChat/Rocket.Chat/pull/13779) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Allow set env var METEOR_OPLOG_TOO_FAR_BEHIND ([#14017](https://github.com/RocketChat/Rocket.Chat/pull/14017))
@@ -7126,7 +7144,7 @@
- Regression: wrong expression at messageBox.actions.remove() ([#14192](https://github.com/RocketChat/Rocket.Chat/pull/14192))
-- Remove bitcoin link in Readme.md since the link is broken ([#13935](https://github.com/RocketChat/Rocket.Chat/pull/13935))
+- Remove bitcoin link in Readme.md since the link is broken ([#13935](https://github.com/RocketChat/Rocket.Chat/pull/13935) by [@ashwaniYDV](https://github.com/ashwaniYDV))
- Remove dependency of RC namespace in rc-livechat/imports, lib, server/api, server/hooks and server/lib ([#13379](https://github.com/RocketChat/Rocket.Chat/pull/13379) by [@MarcosSpessatto](https://github.com/MarcosSpessatto))
@@ -7224,6 +7242,7 @@
- [@Peym4n](https://github.com/Peym4n)
- [@TkTech](https://github.com/TkTech)
- [@algomaster99](https://github.com/algomaster99)
+- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@bhardwajaditya](https://github.com/bhardwajaditya)
- [@bsharrow](https://github.com/bsharrow)
- [@fliptrail](https://github.com/fliptrail)
@@ -7266,7 +7285,6 @@
- [@LuluGO](https://github.com/LuluGO)
- [@alansikora](https://github.com/alansikora)
-- [@ashwaniYDV](https://github.com/ashwaniYDV)
- [@d-gubert](https://github.com/d-gubert)
- [@engelgabriel](https://github.com/engelgabriel)
- [@geekgonecrazy](https://github.com/geekgonecrazy)
diff --git a/app/api/server/v1/invites.js b/app/api/server/v1/invites.js
index 9409458e3093..fd17ec366190 100644
--- a/app/api/server/v1/invites.js
+++ b/app/api/server/v1/invites.js
@@ -1,5 +1,3 @@
-import { Meteor } from 'meteor/meteor';
-
import { API } from '../api';
import { findOrCreateInvite } from '../../../invites/server/functions/findOrCreateInvite';
import { removeInvite } from '../../../invites/server/functions/removeInvite';
@@ -46,10 +44,6 @@ API.v1.addRoute('validateInviteToken', { authRequired: false }, {
post() {
const { token } = this.bodyParams;
- if (!token) {
- throw new Meteor.Error('error-invalid-token', 'The invite token is invalid.', { method: 'validateInviteToken', field: 'token' });
- }
-
let valid = true;
try {
validateInviteToken(token);
diff --git a/app/invites/server/functions/validateInviteToken.js b/app/invites/server/functions/validateInviteToken.js
index 88d35fd5ccab..dda8add8b612 100644
--- a/app/invites/server/functions/validateInviteToken.js
+++ b/app/invites/server/functions/validateInviteToken.js
@@ -3,7 +3,7 @@ import { Meteor } from 'meteor/meteor';
import { Invites, Rooms } from '../../../models';
export const validateInviteToken = (token) => {
- if (!token) {
+ if (!token || typeof token !== 'string') {
throw new Meteor.Error('error-invalid-token', 'The invite token is invalid.', { method: 'validateInviteToken', field: 'token' });
}
diff --git a/app/lib/server/methods/getFullUserData.js b/app/lib/server/methods/getFullUserData.js
index 07ae554acb4e..3c551dacd1ee 100644
--- a/app/lib/server/methods/getFullUserData.js
+++ b/app/lib/server/methods/getFullUserData.js
@@ -4,7 +4,14 @@ import { getFullUserData } from '../functions';
Meteor.methods({
getFullUserData({ filter = '', username = '', limit = 1 }) {
+ console.warn('Method "getFullUserData" is deprecated and will be removed after v4.0.0');
+
+ if (!Meteor.userId()) {
+ throw new Meteor.Error('not-authorized');
+ }
+
const result = getFullUserData({ userId: Meteor.userId(), filter: filter || username, limit });
+
return result && result.fetch();
},
});
diff --git a/app/lib/server/methods/getServerInfo.js b/app/lib/server/methods/getServerInfo.js
index 2c76421adb5a..4445eaf36f35 100644
--- a/app/lib/server/methods/getServerInfo.js
+++ b/app/lib/server/methods/getServerInfo.js
@@ -4,6 +4,11 @@ import { Info } from '../../../utils';
Meteor.methods({
getServerInfo() {
+ if (!Meteor.userId()) {
+ console.warning('Method "getServerInfo" is deprecated and will be removed after v4.0.0');
+ throw new Meteor.Error('not-authorized');
+ }
+
return Info;
},
});
diff --git a/app/livechat/server/methods/loadHistory.js b/app/livechat/server/methods/loadHistory.js
index 395ea3ea5a94..0ac3331e217a 100644
--- a/app/livechat/server/methods/loadHistory.js
+++ b/app/livechat/server/methods/loadHistory.js
@@ -5,6 +5,10 @@ import { LivechatVisitors } from '../../../models';
Meteor.methods({
'livechat:loadHistory'({ token, rid, end, limit = 20, ls }) {
+ if (!token || typeof token !== 'string') {
+ return;
+ }
+
const visitor = LivechatVisitors.getVisitorByToken(token, { fields: { _id: 1 } });
if (!visitor) {
diff --git a/app/livechat/server/methods/saveOfficeHours.js b/app/livechat/server/methods/saveOfficeHours.js
index a84b3b7a2fe4..d0e16a59843b 100644
--- a/app/livechat/server/methods/saveOfficeHours.js
+++ b/app/livechat/server/methods/saveOfficeHours.js
@@ -1,10 +1,16 @@
import { Meteor } from 'meteor/meteor';
+import { hasPermission } from '../../../authorization';
import { LivechatBusinessHours } from '../../../models/server/raw';
Meteor.methods({
'livechat:saveOfficeHours'(day, start, finish, open) {
- console.log('Method "livechat:saveOfficeHour" is deprecated and will be removed after v4.0.0');
+ console.warn('Method "livechat:saveOfficeHour" is deprecated and will be removed after v4.0.0');
+
+ if (!Meteor.userId() || !hasPermission(Meteor.userId(), 'view-livechat-business-hours')) {
+ throw new Meteor.Error('error-not-allowed', 'Not allowed', { method: 'livechat:saveOfficeHours' });
+ }
+
LivechatBusinessHours.updateDayOfGlobalBusinessHour({
day,
start,
diff --git a/app/markdown/lib/parser/marked/marked.js b/app/markdown/lib/parser/marked/marked.js
index 0404d20a1c3b..15a278731116 100644
--- a/app/markdown/lib/parser/marked/marked.js
+++ b/app/markdown/lib/parser/marked/marked.js
@@ -2,6 +2,7 @@ import { Random } from 'meteor/random';
import _ from 'underscore';
import s from 'underscore.string';
import _marked from 'marked';
+import dompurify from 'dompurify';
import hljs from '../../hljs';
import { settings } from '../../../../settings';
@@ -111,5 +112,7 @@ export const marked = (message) => {
highlight,
});
+ msg.html = dompurify.sanitize(msg.html);
+
return msg;
};
diff --git a/app/markdown/lib/parser/original/markdown.js b/app/markdown/lib/parser/original/markdown.js
index a9c2fdb2fe29..83e1797ac654 100644
--- a/app/markdown/lib/parser/original/markdown.js
+++ b/app/markdown/lib/parser/original/markdown.js
@@ -19,7 +19,17 @@ const addAsToken = function(message, html) {
const URL = global.URL || require('url').URL || require('url').Url;
-const validateUrl = (url) => {
+const validateUrl = (url, message) => {
+ // Don't render markdown inside links
+ if (message && message.tokens && message.tokens.some((token) => url.includes(token.token))) {
+ return false;
+ }
+
+ // Valid urls don't contain whitespaces
+ if (/\s/.test(url.trim())) {
+ return false;
+ }
+
try {
new URL(url);
return true;
@@ -76,36 +86,37 @@ const parseNotEscaped = function(msg, message) {
// Support ![alt text](http://image url)
msg = msg.replace(new RegExp(`!\\[([^\\]]+)\\]\\(((?:${ schemes }):\\/\\/[^\\s]+)\\)`, 'gm'), (match, title, url) => {
- if (!validateUrl(url)) {
+ if (!validateUrl(url, message)) {
return match;
}
+ url = encodeURI(url);
+
const target = url.indexOf(Meteor.absoluteUrl()) === 0 ? '' : '_blank';
return addAsToken(message, ``);
});
// Support [Text](http://link)
msg = msg.replace(new RegExp(`\\[([^\\]]+)\\]\\(((?:${ schemes }):\\/\\/[^\\s]+)\\)`, 'gm'), (match, title, url) => {
- if (!validateUrl(url)) {
+ if (!validateUrl(url, message)) {
return match;
}
const target = url.indexOf(Meteor.absoluteUrl()) === 0 ? '' : '_blank';
title = title.replace(/&/g, '&');
- let escapedUrl = url;
- escapedUrl = escapedUrl.replace(/&/g, '&');
+ const escapedUrl = encodeURI(url);
return addAsToken(message, `${ title }`);
});
// Support
- msg = msg.replace(new RegExp(`(?:<|<)((?:${ schemes }):\\/\\/[^\\|]+)\\|(.+?)(?=>|>)(?:>|>)`, 'gm'), (match, url, title) => {
- if (!validateUrl(url)) {
+ msg = msg.replace(new RegExp(`(?:<|<)((?:${ schemes }):\\\/\\\/[^\\|]+)\\|(.+?)(?=>|>)(?:>|>)`, 'gm'), (match, url, title) => {
+ if (!validateUrl(url, message)) {
return match;
}
+ url = encodeURI(url);
const target = url.indexOf(Meteor.absoluteUrl()) === 0 ? '' : '_blank';
return addAsToken(message, `${ title }`);
});
-
return msg;
};
diff --git a/app/markdown/tests/client.tests.js b/app/markdown/tests/client.tests.js
index a8283386c16f..7712f56753ae 100644
--- a/app/markdown/tests/client.tests.js
+++ b/app/markdown/tests/client.tests.js
@@ -173,7 +173,7 @@ const link = {
'': s.escapeHTML(''),
'': linkWrapped('http://link', 'Text'),
'': linkWrapped('https://open.rocket.chat/', 'Open Site For Rocket.Chat'),
- '': linkWrapped('https://open.rocket.chat/ ', ' Open Site For Rocket.Chat'),
+ '': linkWrapped(encodeURI('https://open.rocket.chat/ '), ' Open Site For Rocket.Chat'),
'': linkWrapped('https://rocket.chat/', 'Rocket.Chat Site'),
'': linkWrapped('https://rocket.chat/docs/developer-guides/testing/#testing', 'Testing Entry on Rocket.Chat Docs Site'),
'': s.escapeHTML(''),
@@ -200,7 +200,7 @@ const link = {
'[Rocket.Chat Site](tps://rocket.chat/)': '[Rocket.Chat Site](tps://rocket.chat/)',
'[Open Site For Rocket.Chat](open.rocket.chat/)': '[Open Site For Rocket.Chat](open.rocket.chat/)',
'[Testing Entry on Rocket.Chat Docs Site](htts://rocket.chat/docs/developer-guides/testing/#testing)': '[Testing Entry on Rocket.Chat Docs Site](htts://rocket.chat/docs/developer-guides/testing/#testing)',
- '[Text](http://link?param1=1¶m2=2)': linkWrapped('http://link?param1=1¶m2=2', 'Text'),
+ '[Text](http://link?param1=1¶m2=2)': linkWrapped('http://link?param1=1¶m2=2', 'Text'),
'[Testing Double parentheses](https://en.wikipedia.org/wiki/Disambiguation_(disambiguation))': linkWrapped('https://en.wikipedia.org/wiki/Disambiguation_(disambiguation)', 'Testing Double parentheses'),
'[Testing data after Double parentheses](https://en.wikipedia.org/wiki/Disambiguation_(disambiguation)/blabla/bla)': linkWrapped('https://en.wikipedia.org/wiki/Disambiguation_(disambiguation)/blabla/bla', 'Testing data after Double parentheses'),
};
diff --git a/app/message-mark-as-unread/server/unreadMessages.js b/app/message-mark-as-unread/server/unreadMessages.js
index 4eee05fd230d..aec92fcf94b6 100644
--- a/app/message-mark-as-unread/server/unreadMessages.js
+++ b/app/message-mark-as-unread/server/unreadMessages.js
@@ -12,7 +12,7 @@ Meteor.methods({
});
}
- if (room) {
+ if (room && typeof room === 'string') {
const lastMessage = Messages.findVisibleByRoomId(room, { limit: 1, sort: { ts: -1 } }).fetch()[0];
if (lastMessage == null) {
@@ -25,6 +25,13 @@ Meteor.methods({
return Subscriptions.setAsUnreadByRoomIdAndUserId(lastMessage.rid, userId, lastMessage.ts);
}
+ if (typeof firstUnreadMessage?._id !== 'string') {
+ throw new Meteor.Error('error-action-not-allowed', 'Not allowed', {
+ method: 'unreadMessages',
+ action: 'Unread_messages',
+ });
+ }
+
const originalMessage = Messages.findOneById(firstUnreadMessage._id, {
fields: {
u: 1,
diff --git a/app/message-pin/client/pinMessage.js b/app/message-pin/client/pinMessage.js
index 9fbc2f778edc..5843be4de181 100644
--- a/app/message-pin/client/pinMessage.js
+++ b/app/message-pin/client/pinMessage.js
@@ -19,9 +19,14 @@ Meteor.methods({
toastr.error(TAPi18n.__('error-pinning-message'));
return false;
}
+ if (typeof message._id !== 'string') {
+ toastr.error(TAPi18n.__('error-pinning-message'));
+ return false;
+ }
toastr.success(TAPi18n.__('Message_has_been_pinned'));
return ChatMessage.update({
_id: message._id,
+ rid: message.rid,
}, {
$set: {
pinned: true,
@@ -41,9 +46,14 @@ Meteor.methods({
toastr.error(TAPi18n.__('error-unpinning-message'));
return false;
}
+ if (typeof message._id !== 'string') {
+ toastr.error(TAPi18n.__('error-unpinning-message'));
+ return false;
+ }
toastr.success(TAPi18n.__('Message_has_been_unpinned'));
return ChatMessage.update({
_id: message._id,
+ rid: message.rid,
}, {
$set: {
pinned: false,
diff --git a/app/message-pin/server/pinMessage.js b/app/message-pin/server/pinMessage.js
index a62ef8b7138f..4543496ad2a0 100644
--- a/app/message-pin/server/pinMessage.js
+++ b/app/message-pin/server/pinMessage.js
@@ -1,4 +1,5 @@
import { Meteor } from 'meteor/meteor';
+import { check } from 'meteor/check';
import { settings } from '../../settings';
import { callbacks } from '../../callbacks';
@@ -28,6 +29,8 @@ const shouldAdd = (attachments, attachment) => !attachments.some(({ message_link
Meteor.methods({
pinMessage(message, pinnedAt) {
+ check(message._id, String);
+
const userId = Meteor.userId();
if (!userId) {
throw new Meteor.Error('error-invalid-user', 'Invalid user', {
@@ -42,30 +45,34 @@ Meteor.methods({
});
}
- if (!hasPermission(Meteor.userId(), 'pin-message', message.rid)) {
- throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
+ let originalMessage = Messages.findOneById(message._id);
+ if (originalMessage == null || originalMessage._id == null) {
+ throw new Meteor.Error('error-invalid-message', 'Message you are pinning was not found', {
+ method: 'pinMessage',
+ action: 'Message_pinning',
+ });
}
- const subscription = Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
+ const subscription = Subscriptions.findOneByRoomIdAndUserId(originalMessage.rid, Meteor.userId(), { fields: { _id: 1 } });
if (!subscription) {
- return false;
- }
-
- let originalMessage = Messages.findOneById(message._id);
- if (originalMessage == null || originalMessage._id == null) {
+ // If it's a valid message but on a room that the user is not subscribed to, report that the message was not found.
throw new Meteor.Error('error-invalid-message', 'Message you are pinning was not found', {
method: 'pinMessage',
action: 'Message_pinning',
});
}
+ if (!hasPermission(Meteor.userId(), 'pin-message', originalMessage.rid)) {
+ throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
+ }
+
const me = Users.findOneById(userId);
// If we keep history of edits, insert a new message to store history information
if (settings.get('Message_KeepHistory')) {
Messages.cloneAndSaveAsHistoryById(message._id, me);
}
- const room = Meteor.call('canAccessRoom', message.rid, Meteor.userId());
+ const room = Meteor.call('canAccessRoom', originalMessage.rid, Meteor.userId());
originalMessage.pinned = true;
originalMessage.pinnedAt = pinnedAt || Date.now;
@@ -110,6 +117,8 @@ Meteor.methods({
);
},
unpinMessage(message) {
+ check(message._id, String);
+
if (!Meteor.userId()) {
throw new Meteor.Error('error-invalid-user', 'Invalid user', {
method: 'unpinMessage',
@@ -123,24 +132,27 @@ Meteor.methods({
});
}
- if (!hasPermission(Meteor.userId(), 'pin-message', message.rid)) {
- throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'pinMessage' });
+ let originalMessage = Messages.findOneById(message._id);
+ if (originalMessage == null || originalMessage._id == null) {
+ throw new Meteor.Error('error-invalid-message', 'Message you are unpinning was not found', {
+ method: 'unpinMessage',
+ action: 'Message_pinning',
+ });
}
- const subscription = Subscriptions.findOneByRoomIdAndUserId(message.rid, Meteor.userId(), { fields: { _id: 1 } });
+ const subscription = Subscriptions.findOneByRoomIdAndUserId(originalMessage.rid, Meteor.userId(), { fields: { _id: 1 } });
if (!subscription) {
- return false;
- }
-
- let originalMessage = Messages.findOneById(message._id);
-
- if (originalMessage == null || originalMessage._id == null) {
+ // If it's a valid message but on a room that the user is not subscribed to, report that the message was not found.
throw new Meteor.Error('error-invalid-message', 'Message you are unpinning was not found', {
method: 'unpinMessage',
action: 'Message_pinning',
});
}
+ if (!hasPermission(Meteor.userId(), 'pin-message', originalMessage.rid)) {
+ throw new Meteor.Error('not-authorized', 'Not Authorized', { method: 'unpinMessage' });
+ }
+
const me = Users.findOneById(Meteor.userId());
// If we keep history of edits, insert a new message to store history information
@@ -154,7 +166,7 @@ Meteor.methods({
username: me.username,
};
originalMessage = callbacks.run('beforeSaveMessage', originalMessage);
- const room = Meteor.call('canAccessRoom', message.rid, Meteor.userId());
+ const room = Meteor.call('canAccessRoom', originalMessage.rid, Meteor.userId());
if (isTheLastMessage(room, message)) {
Rooms.setLastMessagePinned(room._id, originalMessage.pinnedBy, originalMessage.pinned);
}
diff --git a/app/utils/rocketchat.info b/app/utils/rocketchat.info
index 40b378d00316..ff9110393bf7 100644
--- a/app/utils/rocketchat.info
+++ b/app/utils/rocketchat.info
@@ -1,3 +1,3 @@
{
- "version": "3.8.5"
+ "version": "3.8.8"
}
diff --git a/client/components/basic/MarkdownText.js b/client/components/basic/MarkdownText.js
index 7ac5d141ee81..1adc18fd751b 100644
--- a/client/components/basic/MarkdownText.js
+++ b/client/components/basic/MarkdownText.js
@@ -1,7 +1,7 @@
-import s from 'underscore.string';
import { Box } from '@rocket.chat/fuselage';
import React, { useMemo } from 'react';
import marked from 'marked';
+import dompurify from 'dompurify';
marked.InlineLexer.rules.gfm.strong = /^\*\*(?=\S)([\s\S]*?\S)\*\*(?!\*)|^\*(?=\S)([\s\S]*?\S)\*(?!\*)/;
marked.InlineLexer.rules.gfm.em = /^__(?=\S)([\s\S]*?\S)__(?!_)|^_(?=\S)([\s\S]*?\S)_(?!_)/;
@@ -11,10 +11,13 @@ const options = {
headerIds: false,
};
-function MarkdownText({ content, preserveHtml = false, ...props }) {
- const __html = useMemo(() => content && marked(preserveHtml ? content : s.escapeHTML(content), options), [content, preserveHtml]);
-
- return ;
+function MarkdownText({ content, preserveHtml = false, withRichContent = true, ...props }) {
+ const sanitizer = dompurify.sanitize;
+ const __html = useMemo(() => {
+ const html = content && marked(content, options);
+ return preserveHtml ? html : html && sanitizer(html);
+ }, [content, preserveHtml, sanitizer]);
+ return __html ? : null;
}
export default MarkdownText;
diff --git a/package-lock.json b/package-lock.json
index 97d4990886ed..540d86c9c0ca 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
{
"name": "Rocket.Chat",
- "version": "3.8.5",
+ "version": "3.8.8",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
@@ -15923,6 +15923,11 @@
"domelementtype": "1"
}
},
+ "dompurify": {
+ "version": "2.2.6",
+ "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.2.6.tgz",
+ "integrity": "sha512-7b7ZArhhH0SP6W2R9cqK6RjaU82FZ2UPM7RO8qN1b1wyvC/NY1FNWcX1Pu00fFOAnzEORtwXe4bPaClg6pUybQ=="
+ },
"domutils": {
"version": "1.5.1",
"resolved": "https://registry.npmjs.org/domutils/-/domutils-1.5.1.tgz",
diff --git a/package.json b/package.json
index fabbbba739ff..e0aa61b612a8 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
{
"name": "Rocket.Chat",
"description": "The Ultimate Open Source WebChat Platform",
- "version": "3.8.5",
+ "version": "3.8.8",
"author": {
"name": "Rocket.Chat",
"url": "https://rocket.chat/"
@@ -180,6 +180,7 @@
"core-js": "^2.6.11",
"cors": "^2.8.5",
"csv-parse": "^4.12.0",
+ "dompurify": "^2.2.6",
"ejson": "^2.2.0",
"emailreplyparser": "^0.0.5",
"emojione": "^4.5.0",