Bump version to 3.18.4

.docker/Dockerfile.rhel

@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
-ENV RC_VERSION 3.18.3
+ENV RC_VERSION 3.18.4
 
 MAINTAINER buildmaster@rocket.chat
 

.github/history-manual.json

@@ -130,5 +130,15 @@
 		"contributors": [
 			"sampaiodiego"
 		]
+	}],
+	"3.18.4": [{
+		"title": "[FIX] Security Hotfix (https://docs.rocket.chat/guides/security/security-updates)",
+		"userLogin": "sampaiodiego",
+		"contributors": [
+			"sampaiodiego",
+			"yash-rajpal",
+			"pierre-lehnen-rc",
+			"gronke"
+		]
 	}]
 }

.github/history.json

@@ -64663,6 +64663,18 @@
         "4.2"
       ],
       "pull_requests": []
+    },
+    "3.18.4": {
+      "node_version": "12.22.1",
+      "npm_version": "6.14.1",
+      "apps_engine_version": "1.27.1",
+      "mongo_versions": [
+        "3.4",
+        "3.6",
+        "4.0",
+        "4.2"
+      ],
+      "pull_requests": []
     }
   }
-}
+}

.snapcraft/resources/prepareRocketChat

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-curl -SLf "https://releases.rocket.chat/3.18.3/download/" -o rocket.chat.tgz
+curl -SLf "https://releases.rocket.chat/3.18.4/download/" -o rocket.chat.tgz
 
 tar xf rocket.chat.tgz --strip 1
 

.snapcraft/snap/snapcraft.yaml

@@ -7,7 +7,7 @@
 # 5.  `snapcraft snap`
 
 name: rocketchat-server
-version: 3.18.3
+version: 3.18.4
 summary: Rocket.Chat server
 description: Have your own Slack like online chat, built with Meteor. https://rocket.chat/
 confinement: strict

app/api/server/v1/roles.js

@@ -136,6 +136,10 @@ API.v1.addRoute('roles.update', { authRequired: true }, {
 			mandatory2fa: Match.Maybe(Boolean),
 		});
 
+		if (!hasPermission(this.userId, 'access-permissions')) {
+			throw new Meteor.Error('error-action-not-allowed', 'Accessing permissions is not allowed');
+		}
+
 		const roleData = {
 			roleId: this.bodyParams.roleId,
 			name: this.bodyParams.name,

app/api/server/v1/users.js

@@ -194,6 +194,17 @@ API.v1.addRoute('users.info', { authRequired: true }, {
 		const { username, userId } = this.requestParams();
 		const { fields } = this.parseJsonQuery();
 
+		check(userId, Match.Maybe(String));
+		check(username, Match.Maybe(String));
+
+		if (userId !== undefined && username !== undefined) {
+			throw new Meteor.Error('invalid-filter', 'Cannot filter by id and username at once');
+		}
+
+		if (!userId && !username) {
+			throw new Meteor.Error('invalid-filter', 'Must filter by id or username');
+		}
+
 		const user = getFullUserDataByIdOrUsername({ userId: this.userId, filterId: userId, filterUsername: username });
 
 		if (!user) {

app/lib/server/functions/getFullUserData.js

@@ -78,20 +78,26 @@ const removePasswordInfo = (user) => {
 		delete user.services.email2fa;
 		delete user.services.totp;
 	}
+
 	return user;
 };
 
 export function getFullUserDataByIdOrUsername({ userId, filterId, filterUsername }) {
 	const caller = Users.findOneById(userId, { fields: { username: 1 } });
-	const myself = userId === filterId || filterUsername === caller.username;
-	const canViewAllInfo = myself || hasPermission(userId, 'view-full-other-user-info');
+	const targetUser = filterId || filterUsername;
+	const myself = (filterId && targetUser === userId) || (filterUsername && targetUser === caller.username);
+	const canViewAllInfo = !!myself || hasPermission(userId, 'view-full-other-user-info');
 
 	const fields = getFields(canViewAllInfo);
 
 	const options = {
 		fields,
 	};
-	const user = Users.findOneByIdOrUsername(filterId || filterUsername, options);
+	const user = Users.findOneByIdOrUsername(targetUser, options);
+	if (!user) {
+		return null;
+	}
+
 	user.canViewAllInfo = canViewAllInfo;
 
 	return myself ? user : removePasswordInfo(user);

app/ui-message/client/message.js

@@ -1,4 +1,5 @@
 import _ from 'underscore';
+import dompurify from 'dompurify';
 import { Meteor } from 'meteor/meteor';
 import { Tracker } from 'meteor/tracker';
 import { Template } from 'meteor/templating';
@@ -31,6 +32,7 @@ const renderBody = (msg, settings) => {
 	} else if (messageType.message) {
 		msg.msg = escapeHTML(msg.msg);
 		msg = TAPi18n.__(messageType.message, { ...typeof messageType.data === 'function' && messageType.data(msg) });
+		msg = dompurify.sanitize(msg);
 	} else if (msg.u && msg.u.username === settings.Chatops_Username) {
 		msg.html = msg.msg;
 		msg = renderMentions(msg);

app/utils/rocketchat.info

@@ -1,3 +1,3 @@
 {
-	"version": "3.18.3"
+	"version": "3.18.4"
 }

client/lib/userData.ts

@@ -33,7 +33,10 @@ export const synchronizeUserData = async (uid: Meteor.User['_id']): Promise<RawU
 		return;
 	}
 
-	cancel && cancel();
+	// Remove data from any other user that we may have retained
+	Meteor.users.remove({ _id: { $ne: uid } });
+
+	cancel?.();
 
 	cancel = await Notifications.onUser('userData', (data: IUserDataEvent) => {
 		switch (data.type) {
@@ -64,3 +67,5 @@ export const synchronizeUserData = async (uid: Meteor.User['_id']): Promise<RawU
 
 	return userData;
 };
+
+export const removeLocalUserData = (): number => Meteor.users.remove({});

client/startup/startup.ts

@@ -13,7 +13,7 @@ import { getUserPreference, t } from '../../app/utils/client';
 import 'highlight.js/styles/github.css';
 import { UserStatus } from '../../definition/UserStatus';
 import * as banners from '../lib/banners';
-import { synchronizeUserData } from '../lib/userData';
+import { synchronizeUserData, removeLocalUserData } from '../lib/userData';
 
 hljs.initHighlightingOnLoad();
 
@@ -40,6 +40,7 @@ Meteor.startup(() => {
 	Tracker.autorun(async () => {
 		const uid = Meteor.userId();
 		if (!uid) {
+			removeLocalUserData();
 			return;
 		}
 		if (!Meteor.status().connected) {

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "Rocket.Chat",
 	"description": "The Ultimate Open Source WebChat Platform",
-	"version": "3.18.3",
+	"version": "3.18.4",
 	"author": {
 		"name": "Rocket.Chat",
 		"url": "https://rocket.chat/"

server/methods/reportMessage.js

@@ -1,10 +1,12 @@
 import { Meteor } from 'meteor/meteor';
 import { check } from 'meteor/check';
 
-import { Messages, Reports } from '../../app/models';
+import { Messages, Reports } from '../../app/models/server';
+import { Rooms } from '../../app/models/server/raw';
+import { canAccessRoomAsync } from '../../app/authorization/server/functions/canAccessRoom';
 
 Meteor.methods({
-	reportMessage(messageId, description) {
+	async reportMessage(messageId, description) {
 		check(messageId, String);
 		check(description, String);
 
@@ -27,6 +29,18 @@ Meteor.methods({
 			});
 		}
 
-		return Reports.createWithMessageDescriptionAndUserId(message, description, Meteor.userId());
+		const uid = Meteor.userId();
+		const { rid } = message;
+		// If the user can't access the room where the message is, report that the message id is invalid
+		const room = await Rooms.findOneById(rid);
+		if (!room || !await canAccessRoomAsync(room, { _id: uid })) {
+			throw new Meteor.Error('error-invalid-message_id', 'Invalid message id', {
+				method: 'reportMessage',
+			});
+		}
+
+		Reports.createWithMessageDescriptionAndUserId(message, description, uid);
+
+		return true;
 	},
 });