Page MenuHomePhabricator
Differential D13858

[lib] Validate IDs in DM operations
ClosedPublic
Actions

Authored by tomek on Nov 4 2024, 6:47 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 3:36 AM
Unknown Object (File)
Mon, Dec 16, 3:36 AM
Unknown Object (File)
Mon, Dec 16, 3:36 AM
Unknown Object (File)
Mon, Dec 16, 3:35 AM
Unknown Object (File)
Mon, Dec 16, 3:35 AM
Unknown Object (File)
Dec 2 2024, 1:10 AM
Unknown Object (File)
Nov 27 2024, 2:54 AM
Unknown Object (File)
Nov 26 2024, 7:14 PM
View All 43 Files
Subscribers
ashoat

Details

Reviewers
kamil
angelika
Commits
rCOMMd8ed20cf4b9c: [lib] Validate IDs in DM operations
Summary

We should check whether the IDs are thick - it protects us against an attacker who could try to create operations referencing thin thread entities.

https://linear.app/comm/issue/ENG-9826/validate-the-ids-from-the-dm-operations

Depends on D13848

Test Plan

Tested a couple of scenarios:

  • sending a text message
  • changing thread settings
  • editing a message
  • reacting to a message
  • creating a sidebar

In the cases where another message was a target, tested that it works for both text and edit thread settings messages.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

tomek created this revision.Nov 4 2024, 6:47 AM
Herald added a subscriber: ashoat. · View Herald TranscriptNov 4 2024, 6:47 AM
Harbormaster completed remote builds in B32514: Diff 45580.Nov 4 2024, 7:05 AM
tomek requested review of this revision.Nov 4 2024, 7:05 AM
kamil accepted this revision.Nov 5 2024, 2:20 AM
kamil added inline comments.
lib/types/dm-ops.js
58 ↗(On Diff #45580)

this is already defined in here

This revision is now accepted and ready to land.Nov 5 2024, 2:20 AM
tomek added inline comments.Nov 7 2024, 7:07 AM
lib/types/dm-ops.js
58 ↗(On Diff #45580)

The value is the same, but the meaning is different. In that place, we're defining what a thread ID is. Here, we're talking about other types of ID. But I think it could be generalized by renaming thickThreadIDRegex.

tomek updated this revision to Diff 45706.Nov 8 2024, 3:16 AM

Rename

Harbormaster completed remote builds in B32587: Diff 45706.Nov 8 2024, 3:33 AM
Closed by commit rCOMMd8ed20cf4b9c: [lib] Validate IDs in DM operations (authored by tomek). · Explain WhyNov 8 2024, 4:29 AM
This revision was automatically updated to reflect the committed changes.
tomek added a commit: rCOMMd8ed20cf4b9c: [lib] Validate IDs in DM operations.

Revision Contents
Changeset List

PathSize
lib/
types/
108 lines
utils/
5 lines
web/
redux/
4 lines

Diff 45712

View Options

lib/types/dm-ops.js

Loading...
View Options

lib/utils/validation-utils.js

Loading...
View Options

web/redux/initial-state-gate.js

Loading...