From 2e84840213afe7682af56beedfd817ed6854248c Mon Sep 17 00:00:00 2001 From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> Date: Sun, 24 Apr 2022 16:09:38 +1000 Subject: [PATCH 1/5] While backfilling, message ids must now be valid snowflakes, cannot be in the future, and cannot overwrite existing messages --- .../#channel_id/messages/#message_id/index.ts | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts index 6d2bf185..8d2bd5cb 100644 --- a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts +++ b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts @@ -16,6 +16,8 @@ import multer from "multer"; import { route } from "@fosscord/api"; import { handleMessage, postHandleMessage } from "@fosscord/api"; import { MessageCreateSchema } from "../index"; +import { Snowflake } from "@fosscord/util"; +import { HTTPError } from "lambert-server"; const router = Router(); // TODO: message content/embed string length limit @@ -91,6 +93,22 @@ router.put( var body = req.body as MessageCreateSchema; const attachments: Attachment[] = []; + // regex to check if message contains anything other than numerals ( also no decimals ) + if (!message_id.match(/^\+?\d+$/)) { + throw new HTTPError("Message IDs must be positive integers") + } + + const snowflake = Snowflake.deconstruct(message_id) + if (Date.now() < snowflake.timestamp) { + // message is in the future + throw new HTTPError("You cannot backfill messages in the future", 400); + } + + const exists = await Message.findOne({ where: { id: message_id, channel_id: channel_id }}); + if (exists) { + throw new HTTPError("Cannot backfill to message ID that already exists", 400); + } + if (req.file) { try { const file = await uploadFile(`/attachments/${req.params.channel_id}`, req.file); @@ -100,8 +118,6 @@ router.put( } } const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] }); - - // TODO: check the ID is not from the future, to prevent future-faking of channel histories const embeds = body.embeds || []; if (body.embed) embeds.push(body.embed); @@ -115,11 +131,9 @@ router.put( channel_id, attachments, edited_timestamp: undefined, - timestamp: undefined, // FIXME: calculate timestamp from snowflake + timestamp: new Date(snowflake.timestamp), }); - channel.last_message_id = message.id; - //Fix for the client bug delete message.member From 122abacf17d8508c471f7139b0607d297d1f6357 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Sun, 24 Apr 2022 09:23:52 +0300 Subject: [PATCH 2/5] Backfilling privilege does not imply right to post messages --- .../channels/#channel_id/messages/#message_id/index.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts index 8d2bd5cb..cf25f916 100644 --- a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts +++ b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts @@ -92,10 +92,13 @@ router.put( const { channel_id, message_id } = req.params; var body = req.body as MessageCreateSchema; const attachments: Attachment[] = []; + + const rights = getRights(req.user_id); + rights.hasThrow("SEND_MESSAGES"); // regex to check if message contains anything other than numerals ( also no decimals ) if (!message_id.match(/^\+?\d+$/)) { - throw new HTTPError("Message IDs must be positive integers") + throw new HTTPError("Message IDs must be positive integers", 400); } const snowflake = Snowflake.deconstruct(message_id) @@ -106,7 +109,7 @@ router.put( const exists = await Message.findOne({ where: { id: message_id, channel_id: channel_id }}); if (exists) { - throw new HTTPError("Cannot backfill to message ID that already exists", 400); + throw new HTTPError("Cannot backfill to message ID that already exists", 409); } if (req.file) { From c6a79005f4ced55128e4552c827c3af61282bd96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Sun, 24 Apr 2022 09:48:45 +0300 Subject: [PATCH 3/5] API response codes for backfill errors --- util/src/util/Constants.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/util/src/util/Constants.ts b/util/src/util/Constants.ts index 8d61b9b4..9ceebf30 100644 --- a/util/src/util/Constants.ts +++ b/util/src/util/Constants.ts @@ -742,6 +742,8 @@ export const FosscordApiErrors = { DELETE_MESSAGE_DISABLED: new ApiError("You are not allowed to delete your own messages", 25061), FEATURE_PERMANENTLY_DISABLED: new ApiError("This feature has been disabled server-side", 45006), MISSING_RIGHTS: new ApiError("You lack rights to perform that action ({})", 50013, undefined, [""]), + CANNOT_REPLACE_BY_BACKFILL: new APIError("Cannot backfill to message ID that already exists", 55002), + CANNOT_BACKFILL_TO_THE_FUTURE: new APIError("You cannot backfill messages in the future", 55003), CANNOT_GRANT_PERMISSIONS_EXCEEDING_RIGHTS: new ApiError("You cannot grant permissions exceeding your own rights", 50050), ROUTES_LOOPING: new ApiError("Loops in the route definition ({})", 50060, undefined, [""]), CANNOT_REMOVE_ROUTE: new ApiError("Cannot remove message route while it is in effect and being used", 50061), From ddf0626a9a667e8fa70f8fcb11ee7254062d05dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Sun, 24 Apr 2022 09:57:00 +0300 Subject: [PATCH 4/5] refine error codes for backfill constraint violations --- util/src/util/Constants.ts | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/util/src/util/Constants.ts b/util/src/util/Constants.ts index 9ceebf30..54287af6 100644 --- a/util/src/util/Constants.ts +++ b/util/src/util/Constants.ts @@ -727,23 +727,23 @@ export const DiscordApiErrors = { * An error encountered while performing an API request (Fosscord only). Here are the potential errors: */ export const FosscordApiErrors = { - MANUALLY_TRIGGERED_ERROR: new ApiError("This is an artificial error", 1), + MANUALLY_TRIGGERED_ERROR: new ApiError("This is an artificial error", 1, 500), PREMIUM_DISABLED_FOR_GUILD: new ApiError("This guild cannot be boosted", 25001), NO_FURTHER_PREMIUM: new ApiError("This guild does not receive further boosts", 25002), - GUILD_PREMIUM_DISABLED_FOR_YOU: new ApiError("This guild cannot be boosted by you", 25003), + GUILD_PREMIUM_DISABLED_FOR_YOU: new ApiError("This guild cannot be boosted by you", 25003, 403), CANNOT_FRIEND_SELF: new ApiError("Cannot friend oneself", 25009), USER_SPECIFIC_INVITE_WRONG_RECIPIENT: new ApiError("This invite is not meant for you", 25010), USER_SPECIFIC_INVITE_FAILED: new ApiError("Failed to invite user", 25011), - CANNOT_MODIFY_USER_GROUP: new ApiError("This user cannot manipulate this group", 25050), + CANNOT_MODIFY_USER_GROUP: new ApiError("This user cannot manipulate this group", 25050, 403), CANNOT_REMOVE_SELF_FROM_GROUP: new ApiError("This user cannot remove oneself from user group", 25051), CANNOT_BAN_OPERATOR: new ApiError("Non-OPERATOR cannot ban OPERATOR from instance", 25052), - CANNOT_LEAVE_GUILD: new ApiError("You are not allowed to leave guilds that you joined by yourself", 25059), - EDITS_DISABLED: new ApiError("You are not allowed to edit your own messages", 25060), - DELETE_MESSAGE_DISABLED: new ApiError("You are not allowed to delete your own messages", 25061), - FEATURE_PERMANENTLY_DISABLED: new ApiError("This feature has been disabled server-side", 45006), + CANNOT_LEAVE_GUILD: new ApiError("You are not allowed to leave guilds that you joined by yourself", 25059, 403), + EDITS_DISABLED: new ApiError("You are not allowed to edit your own messages", 25060, 403), + DELETE_MESSAGE_DISABLED: new ApiError("You are not allowed to delete your own messages", 25061, 403), + FEATURE_PERMANENTLY_DISABLED: new ApiError("This feature has been disabled server-side", 45006, 501), MISSING_RIGHTS: new ApiError("You lack rights to perform that action ({})", 50013, undefined, [""]), - CANNOT_REPLACE_BY_BACKFILL: new APIError("Cannot backfill to message ID that already exists", 55002), - CANNOT_BACKFILL_TO_THE_FUTURE: new APIError("You cannot backfill messages in the future", 55003), + CANNOT_REPLACE_BY_BACKFILL: new ApiError("Cannot backfill to message ID that already exists", 55002, 409), + CANNOT_BACKFILL_TO_THE_FUTURE: new ApiError("You cannot backfill messages in the future", 55003), CANNOT_GRANT_PERMISSIONS_EXCEEDING_RIGHTS: new ApiError("You cannot grant permissions exceeding your own rights", 50050), ROUTES_LOOPING: new ApiError("Loops in the route definition ({})", 50060, undefined, [""]), CANNOT_REMOVE_ROUTE: new ApiError("Cannot remove message route while it is in effect and being used", 50061), From 6a1e2edd8ddc7e5aef8ed2847431673eb5b0084b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Sun, 24 Apr 2022 11:40:24 +0300 Subject: [PATCH 5/5] use return codes to allow for automation --- .../channels/#channel_id/messages/#message_id/index.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts index cf25f916..958954b6 100644 --- a/api/src/routes/channels/#channel_id/messages/#message_id/index.ts +++ b/api/src/routes/channels/#channel_id/messages/#message_id/index.ts @@ -2,13 +2,16 @@ import { Attachment, Channel, Embed, + DiscordApiErrors, emitEvent, + FosscordApiErrors, getPermission, getRights, Message, MessageCreateEvent, MessageDeleteEvent, MessageUpdateEvent, + Snowflake, uploadFile } from "@fosscord/util"; import { Router, Response, Request } from "express"; @@ -16,7 +19,6 @@ import multer from "multer"; import { route } from "@fosscord/api"; import { handleMessage, postHandleMessage } from "@fosscord/api"; import { MessageCreateSchema } from "../index"; -import { Snowflake } from "@fosscord/util"; import { HTTPError } from "lambert-server"; const router = Router(); @@ -104,12 +106,12 @@ router.put( const snowflake = Snowflake.deconstruct(message_id) if (Date.now() < snowflake.timestamp) { // message is in the future - throw new HTTPError("You cannot backfill messages in the future", 400); + throw FosscordApiErrors.CANNOT_BACKFILL_TO_THE_FUTURE; } const exists = await Message.findOne({ where: { id: message_id, channel_id: channel_id }}); if (exists) { - throw new HTTPError("Cannot backfill to message ID that already exists", 409); + throw FosscordApiErrors.CANNOT_REPLACE_BY_BACKFILL; } if (req.file) {