We should check whether the IDs are thick - it protects us against an attacker who could try to create operations referencing thin thread entities.
https://linear.app/comm/issue/ENG-9826/validate-the-ids-from-the-dm-operations
Depends on D13848
Details
Details
- Reviewers
kamil angelika - Commits
- rCOMMd8ed20cf4b9c: [lib] Validate IDs in DM operations
Tested a couple of scenarios:
- sending a text message
- changing thread settings
- editing a message
- reacting to a message
- creating a sidebar
In the cases where another message was a target, tested that it works for both text and edit thread settings messages.
Diff Detail
Diff Detail
- Repository
- rCOMM Comm
- Branch
- master
- Lint
No Lint Coverage - Unit
No Test Coverage
Event Timeline
| lib/types/dm-ops.js | ||
|---|---|---|
| 58 ↗ | (On Diff #45580) | The value is the same, but the meaning is different. In that place, we're defining what a thread ID is. Here, we're talking about other types of ID. But I think it could be generalized by renaming thickThreadIDRegex. |