fix: avoid to get files with other extensions than the proper ones for custom-sounds and emoji-custom endpoints (#38531)

Co-authored-by: Guilherme Gazzo <[email protected]>

Author: nazabucciarelli

.changeset/clean-ears-fly.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fixes a cross-resource access issue that allowed users to retrieve emojis from the Custom Sounds endpoint and sounds from the Custom Emojis endpoint when using the FileSystem storage mode.

apps/meteor/app/custom-sounds/server/startup/custom-sounds.js

@@ -1,3 +1,4 @@
+import { CustomSounds } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 import { WebApp } from 'meteor/webapp';
 
@@ -47,7 +48,17 @@ Meteor.startup(() => {
 			return;
 		}
 
+		const sound = await CustomSounds.findOneById(fileId.split('.')[0], { projection: { _id: 1 } });
+
+		if (!sound) {
+			res.writeHead(404);
+			res.write('Not found');
+			res.end();
+			return;
+		}
+
 		const file = await RocketChatFileCustomSoundsInstance.getFileWithReadStream(fileId);
+
 		if (!file) {
 			res.writeHead(404);
 			res.write('Not found');

apps/meteor/app/emoji-custom/server/startup/emoji-custom.js

@@ -1,3 +1,4 @@
+import { EmojiCustom } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 import { WebApp } from 'meteor/webapp';
 import _ from 'underscore';
@@ -8,6 +9,35 @@ import { settings } from '../../../settings/server';
 
 export let RocketChatFileEmojiCustomInstance;
 
+const writeSvgFallback = (res, req) => {
+	res.setHeader('Content-Type', 'image/svg+xml');
+	res.setHeader('Cache-Control', 'public, max-age=0');
+	res.setHeader('Expires', '-1');
+	res.setHeader('Last-Modified', 'Thu, 01 Jan 2015 00:00:00 GMT');
+
+	const reqModifiedHeader = req.headers['if-modified-since'];
+	if (reqModifiedHeader != null) {
+		if (reqModifiedHeader === 'Thu, 01 Jan 2015 00:00:00 GMT') {
+			res.writeHead(304);
+			res.end();
+			return;
+		}
+	}
+
+	const color = '#000';
+	const initials = '?';
+
+	const svg = `<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" pointer-events="none" width="50" height="50" style="width: 50px; height: 50px; background-color: ${color};">
+	<text text-anchor="middle" y="50%" x="50%" dy="0.36em" pointer-events="auto" fill="#ffffff" font-family="Helvetica, Arial, Lucida Grande, sans-serif" style="font-weight: 400; font-size: 28px;">
+		${initials}
+	</text>
+</svg>`;
+
+	res.write(svg);
+	res.end();
+};
+
 Meteor.startup(() => {
 	let storeType = 'GridFS';
 
@@ -48,39 +78,19 @@ Meteor.startup(() => {
 			return;
 		}
 
-		const file = await RocketChatFileEmojiCustomInstance.getFileWithReadStream(encodeURIComponent(params.emoji));
-
 		res.setHeader('Content-Disposition', 'inline');
 
+		const emoji = await EmojiCustom.findOneByName(params.emoji.split('.')[0], { projection: { _id: 1 } });
+
+		if (!emoji) {
+			return writeSvgFallback(res, req);
+		}
+
+		const file = await RocketChatFileEmojiCustomInstance.getFileWithReadStream(encodeURIComponent(params.emoji));
+
 		if (!file) {
 			// use code from username initials renderer until file upload is complete
-			res.setHeader('Content-Type', 'image/svg+xml');
-			res.setHeader('Cache-Control', 'public, max-age=0');
-			res.setHeader('Expires', '-1');
-			res.setHeader('Last-Modified', 'Thu, 01 Jan 2015 00:00:00 GMT');
-
-			const reqModifiedHeader = req.headers['if-modified-since'];
-			if (reqModifiedHeader != null) {
-				if (reqModifiedHeader === 'Thu, 01 Jan 2015 00:00:00 GMT') {
-					res.writeHead(304);
-					res.end();
-					return;
-				}
-			}
-
-			const color = '#000';
-			const initials = '?';
-
-			const svg = `<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg xmlns="http://www.w3.org/2000/svg" pointer-events="none" width="50" height="50" style="width: 50px; height: 50px; background-color: ${color};">
-	<text text-anchor="middle" y="50%" x="50%" dy="0.36em" pointer-events="auto" fill="#ffffff" font-family="Helvetica, Arial, Lucida Grande, sans-serif" style="font-weight: 400; font-size: 28px;">
-		${initials}
-	</text>
-</svg>`;
-
-			res.write(svg);
-			res.end();
-			return;
+			return writeSvgFallback(res, req);
 		}
 
 		const fileUploadDate = file.uploadDate != null ? file.uploadDate.toUTCString() : undefined;

packages/model-typings/src/models/IEmojiCustomModel.ts

@@ -12,4 +12,5 @@ export interface IEmojiCustomModel extends IBaseModel<IEmojiCustom> {
 	setETagByName(name: string, etag: string): Promise<UpdateResult>;
 	create(data: InsertionModel<IEmojiCustom>): Promise<InsertOneResult<WithId<IEmojiCustom>>>;
 	countByNameOrAlias(name: string): Promise<number>;
+	findOneByName(name: string, options?: FindOptions<IEmojiCustom>): Promise<IEmojiCustom | null>;
 }

packages/models/src/models/EmojiCustom.ts

@@ -90,4 +90,9 @@ export class EmojiCustomRaw extends BaseRaw<IEmojiCustom> implements IEmojiCusto
 
 		return this.countDocuments(query);
 	}
+
+	// TODO: convert name: string to branded type using to enforce validation also replace this type cross the models/apis
+	findOneByName(name: string, options?: FindOptions<IEmojiCustom>): Promise<IEmojiCustom | null> {
+		return this.findOne({ name }, options);
+	}
 }