[lib] Validate IDs in DM operations
Needs ReviewPublic
Actions

Authored by tomek on Mon, Nov 4, 6:47 AM.

Details

Reviewers

kamil
angelika

Summary

We should check whether the IDs are thick - it protects us against an attacker who could try to create operations referencing thin thread entities.

https://linear.app/comm/issue/ENG-9826/validate-the-ids-from-the-dm-operations

Depends on D13848

Test Plan

Tested a couple of scenarios:

sending a text message
changing thread settings
editing a message
reacting to a message
creating a sidebar

In the cases where another message was a target, tested that it works for both text and edit thread settings messages.

Diff Detail

Repository

rCOMM Comm

Branch

master

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

tomek created this revision.Mon, Nov 4, 6:47 AM

Herald added a subscriber: ashoat. · View Herald TranscriptMon, Nov 4, 6:47 AM

Harbormaster completed remote builds in B32514: Diff 45580.Mon, Nov 4, 7:05 AM

tomek requested review of this revision.Mon, Nov 4, 7:05 AM

Revision Contents
Changeset List

Path

Size

lib/

types/

dm-ops.js

108 lines

utils/

validation-utils.js

1 line

Diff 45580

View Options

lib/types/dm-ops.js