diff options
| author | Jonathan <jonfritz@gmail.com> | 2017-10-04 11:12:13 -0400 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2017-10-04 08:12:13 -0700 |
| commit | fa80cb10a8ad047f9504c49ed2671d31650d1878 (patch) | |
| tree | c22a3ee08c57649e1721f272f9d87159411b3967 /api4/command_test.go | |
| parent | f94b807f3973d824d8512c94e2a49b510005e56f (diff) | |
| download | chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.gz chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.bz2 chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.zip | |
PLT-7785: Slash commands can be issued to a channel in a team without it (#7567)
* Ensured that specified channel is a part of specified team
* Simplified approach to just infer team id from specified channel id to eliminate the attack vector entirely
Diffstat (limited to 'api4/command_test.go')
| -rw-r--r-- | api4/command_test.go | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/api4/command_test.go b/api4/command_test.go index 705ea8548..9a6c9dc78 100644 --- a/api4/command_test.go +++ b/api4/command_test.go @@ -490,3 +490,38 @@ func TestExecuteCommand(t *testing.T) { _, resp = th.SystemAdminClient.ExecuteCommand(channel.Id, "/getcommand") CheckNoError(t, resp) } + +func TestExecuteCommandAgainstChannelOnAnotherTeam(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + Client := th.Client + channel := th.BasicChannel + + enableCommands := *utils.Cfg.ServiceSettings.EnableCommands + allowedInternalConnections := *utils.Cfg.ServiceSettings.AllowedUntrustedInternalConnections + defer func() { + utils.Cfg.ServiceSettings.EnableCommands = &enableCommands + utils.Cfg.ServiceSettings.AllowedUntrustedInternalConnections = &allowedInternalConnections + }() + *utils.Cfg.ServiceSettings.EnableCommands = true + *utils.Cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost" + + // create a slash command on some other team where we have permission to do so + team2 := th.CreateTeam() + postCmd := &model.Command{ + CreatorId: th.BasicUser.Id, + TeamId: team2.Id, + URL: "http://localhost" + *utils.Cfg.ServiceSettings.ListenAddress + model.API_URL_SUFFIX_V4 + "/teams/command_test", + Method: model.COMMAND_METHOD_POST, + Trigger: "postcommand", + } + + if _, err := th.App.CreateCommand(postCmd); err != nil { + t.Fatal("failed to create post command") + } + + // the execute command endpoint will always search for the command by trigger and team id, inferring team id from the + // channel id, so there is no way to use that slash command on a channel that belongs to some other team + _, resp := Client.ExecuteCommand(channel.Id, "/postcommand") + CheckNotFoundStatus(t, resp) +} |