PLT-7785: Slash commands can be issued to a channel in a team without it (#7567)

* Ensured that specified channel is a part of specified team * Simplified approach to just infer team id from specified channel id to eliminate the attack vector entirely
author: Jonathan <jonfritz@gmail.com> 2017-10-04 11:12:13 -0400
committer: Christopher Speller <crspeller@gmail.com> 2017-10-04 08:12:13 -0700
commit: fa80cb10a8ad047f9504c49ed2671d31650d1878 (patch)
tree: c22a3ee08c57649e1721f272f9d87159411b3967 /model/client4.go
parent: f94b807f3973d824d8512c94e2a49b510005e56f (diff)
download: chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.gz
chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.bz2
chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/model/client4.go b/model/client4.go
index 3bd3b2125..a7ee3df86 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -2808,7 +2808,10 @@ func (c *Client4) ListCommands(teamId string, customOnly bool) ([]*Command, *Res
 
 // ExecuteCommand executes a given command.
 func (c *Client4) ExecuteCommand(channelId, command string) (*CommandResponse, *Response) {
-	commandArgs := &CommandArgs{ChannelId: channelId, Command: command}
+	commandArgs := &CommandArgs{
+		ChannelId: channelId,
+		Command:   command,
+	}
 	if r, err := c.DoApiPost(c.GetCommandsRoute()+"/execute", commandArgs.ToJson()); err != nil {
 		return nil, BuildErrorResponse(r, err)
 	} else {
author	Jonathan <jonfritz@gmail.com>	2017-10-04 11:12:13 -0400
committer	Christopher Speller <crspeller@gmail.com>	2017-10-04 08:12:13 -0700
commit	fa80cb10a8ad047f9504c49ed2671d31650d1878 (patch)
tree	c22a3ee08c57649e1721f272f9d87159411b3967 /model/client4.go
parent	f94b807f3973d824d8512c94e2a49b510005e56f (diff)
download	chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.gz chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.bz2 chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.zip