Merge pull request #734 from MaddyUnderStars/fix/sanitisation

Fix users arbitrarily editing their own User object, and disallow sending messages to certain channels ( eg categories )
2022-04-22 18:12:18 +02:00 · 2022-04-22 18:12:18 +02:00 · c160218fd2
commit c160218fd2
parent 266e9c4739 6e0040a8ca
5 changed files with 12495 additions and 8151 deletions
--- a/api/assets/schemas.json
+++ b/api/assets/schemas.json
--- a/api/scripts/generate_schema.js
+++ b/api/scripts/generate_schema.js
@ -31,7 +31,6 @@ const Excluded = [
 ];

 function modify(obj) {
-	delete obj.additionalProperties;
 	for (var k in obj) {
 		if (typeof obj[k] === "object" && obj[k] !== null) {
 			modify(obj[k]);
--- a/api/src/routes/channels/#channel_id/messages/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/index.ts
@ -183,6 +183,9 @@ router.post(
 			}
 		}
 		const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
+		if (!channel.isWritable()) {
+			throw new HTTPError(`Cannot send messages to channel of type ${channel.type}`, 400)
+		}

 		const embeds = body.embeds || [];
 		if (body.embed) embeds.push(body.embed);
@ -220,6 +223,8 @@ router.post(
 				})
 			);
 		}
+
+
 	
 		//Fix for the client bug
 		delete message.member
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@ -46,8 +46,6 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 		}
 	}

-	user.assign(body);
-
 	if (body.new_password) {
 		if (!body.password && !user.email) {
 			throw FieldErrors({
@ -66,6 +64,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
        }
    }

+	user.assign(body);
 	await user.save();

 	// @ts-ignore
--- a/util/src/entities/Channel.ts
+++ b/util/src/entities/Channel.ts
@ -352,6 +352,17 @@ export class Channel extends BaseClass {
 	isDm() {
 		return this.type === ChannelType.DM || this.type === ChannelType.GROUP_DM;
 	}
+
+	// Does the channel support sending messages ( eg categories do not )
+	isWritable() {
+		const disallowedChannelTypes = [
+			ChannelType.GUILD_CATEGORY,
+			ChannelType.GUILD_VOICE,		// TODO: Remove this when clients can send messages to voice channels on discord.com
+			ChannelType.GUILD_STAGE_VOICE,
+			ChannelType.VOICELESS_WHITEBOARD,
+		];
+		return disallowedChannelTypes.indexOf(this.type) == -1;
+	}
 }

 export interface ChannelPermissionOverwrite {