Page MenuHomePhabricator

[lib] Validate IDs in DM operations
ClosedPublic

Authored by tomek on Mon, Nov 4, 6:47 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 20, 3:19 PM
Unknown Object (File)
Tue, Nov 19, 12:02 AM
Unknown Object (File)
Sun, Nov 17, 12:20 AM
Unknown Object (File)
Sat, Nov 16, 2:42 AM
Unknown Object (File)
Fri, Nov 15, 11:26 PM
Unknown Object (File)
Fri, Nov 15, 5:15 PM
Unknown Object (File)
Fri, Nov 15, 8:48 AM
Unknown Object (File)
Thu, Nov 14, 2:39 PM
Subscribers

Details

Summary

We should check whether the IDs are thick - it protects us against an attacker who could try to create operations referencing thin thread entities.

https://linear.app/comm/issue/ENG-9826/validate-the-ids-from-the-dm-operations

Depends on D13848

Test Plan

Tested a couple of scenarios:

  • sending a text message
  • changing thread settings
  • editing a message
  • reacting to a message
  • creating a sidebar

In the cases where another message was a target, tested that it works for both text and edit thread settings messages.

Diff Detail

Repository
rCOMM Comm
Branch
master
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

tomek requested review of this revision.Mon, Nov 4, 7:05 AM
kamil added inline comments.
lib/types/dm-ops.js
58

this is already defined in here

This revision is now accepted and ready to land.Tue, Nov 5, 2:20 AM
lib/types/dm-ops.js
58

The value is the same, but the meaning is different. In that place, we're defining what a thread ID is. Here, we're talking about other types of ID. But I think it could be generalized by renaming thickThreadIDRegex.

This revision was automatically updated to reflect the committed changes.