From fa80cb10a8ad047f9504c49ed2671d31650d1878 Mon Sep 17 00:00:00 2001
From: Jonathan <jonfritz@gmail.com>
Date: Wed, 4 Oct 2017 11:12:13 -0400
Subject: PLT-7785: Slash commands can be issued to a channel in a team without
 it (#7567)

* Ensured that specified channel is a part of specified team

* Simplified approach to just infer team id from specified channel id to eliminate the attack vector entirely
---
 model/client4.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'model')

diff --git a/model/client4.go b/model/client4.go
index 3bd3b2125..a7ee3df86 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -2808,7 +2808,10 @@ func (c *Client4) ListCommands(teamId string, customOnly bool) ([]*Command, *Res
 
 // ExecuteCommand executes a given command.
 func (c *Client4) ExecuteCommand(channelId, command string) (*CommandResponse, *Response) {
-	commandArgs := &CommandArgs{ChannelId: channelId, Command: command}
+	commandArgs := &CommandArgs{
+		ChannelId: channelId,
+		Command:   command,
+	}
 	if r, err := c.DoApiPost(c.GetCommandsRoute()+"/execute", commandArgs.ToJson()); err != nil {
 		return nil, BuildErrorResponse(r, err)
 	} else {
-- 
cgit v1.2.3-1-g7c22