Skip to content

Pacthes security issue with Slack routes and component APIs #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
petruki merged 2 commits into from
Jul 13, 2025
Merged

Pacthes security issue with Slack routes and component APIs #562

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2bbed12
Pacthes security issue with Slack routes and component APIs
petruki Jul 13, 2025
b7af6ef
ci: fixed missing step from sonar workflow
petruki Jul 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/sonar.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ jobs:
with:
mongodb-version: 8.0

- name: Install dependencies
run: npm ci

- name: Lint
run: npm run lint

Expand Down
6 changes: 4 additions & 2 deletions src/routers/config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import express from 'express';
import { check, query } from 'express-validator';
import { body, check, query } from 'express-validator';
import { relayOptions } from '../models/config.js';
import { auth } from '../middleware/auth.js';
import { ActionTypes, RouterTypes } from '../models/permission.js';
Expand Down Expand Up @@ -201,7 +201,9 @@ router.patch('/config/removeComponent/:id', auth, [
});

router.patch('/config/updateComponents/:id', auth, [
check('id').isMongoId()
check('id').isMongoId(),
body('components').isArray(),
body('components.*').isMongoId()
], validate, async (req, res) => {
try {
const config = await Services.updateComponent(req.params.id, req.body, req.admin);
Expand Down
25 changes: 18 additions & 7 deletions src/routers/slack.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ router.post('/slack/v1/installation', slackAuth, [

router.post('/slack/v1/authorize', auth, [
check('domain').isMongoId(),
check('team_id').exists()
check('team_id').exists(),
check('team_id').isAlphanumeric()
], validate, auth, async (req, res) => {
try {
await Services.authorizeSlackInstallation(req.body, req.admin);
Expand All @@ -75,6 +76,7 @@ router.post('/slack/v1/authorize', auth, [

router.post('/slack/v1/ticket/clear', auth, [
check('team_id').exists(),
check('team_id').isAlphanumeric(),
check('domain_id').isMongoId()
], validate, async (req, res) => {
try {
Expand All @@ -88,6 +90,7 @@ router.post('/slack/v1/ticket/clear', auth, [

router.post('/slack/v1/ticket/validate', slackAuth, [
check('team_id').exists(),
check('team_id').isAlphanumeric(),
check('domain_id').isMongoId(),
check('ticket_content.environment').exists(),
check('ticket_content.group').exists(),
Expand All @@ -107,6 +110,7 @@ router.post('/slack/v1/ticket/validate', slackAuth, [

router.post('/slack/v1/ticket/create', slackAuth, [
check('team_id').exists(),
check('team_id').isAlphanumeric(),
check('domain_id').isMongoId(),
check('ticket_content.environment').exists(),
check('ticket_content.group').exists(),
Expand All @@ -127,6 +131,7 @@ router.post('/slack/v1/ticket/create', slackAuth, [

router.post('/slack/v1/ticket/process', slackAuth, [
check('team_id').exists(),
check('team_id').isAlphanumeric(),
check('domain_id').isMongoId(),
check('ticket_id').isMongoId(),
check('approved').isBoolean()
Expand All @@ -140,7 +145,8 @@ router.post('/slack/v1/ticket/process', slackAuth, [
});

router.get('/slack/v1/findbot', slackAuth, [
query('team_id').exists()
query('team_id').exists(),
query('team_id').isAlphanumeric()
], validate, async (req, res) => {
try {
const slack = await Services.getSlack({
Expand All @@ -156,13 +162,15 @@ router.get('/slack/v1/findbot', slackAuth, [
});

router.get('/slack/v1/findinstallation', slackAuth, [
query('team_id').exists()
query('team_id').exists(),
query('team_id').isAlphanumeric()
], validate, async (req, res) => {
await findInstallation(req, res);
});

router.get('/slack/v1/installation/find', auth, [
query('team_id').exists()
query('team_id').exists(),
query('team_id').isAlphanumeric()
], validate, async (req, res) => {
await findInstallation(req, res, true);
});
Expand Down Expand Up @@ -191,7 +199,8 @@ router.get('/slack/v1/installation/:domain', auth, [
});

router.get('/slack/v1/domains', slackAuth, [
query('team_id').exists()
query('team_id').exists(),
query('team_id').isAlphanumeric()
], validate, async (req, res) => {
try {
const domains = await Services.getDomainsByTeamId(req.query.team_id);
Expand All @@ -202,13 +211,15 @@ router.get('/slack/v1/domains', slackAuth, [
});

router.delete('/slack/v1/installation', slackAuth, [
query('team_id').exists()
query('team_id').exists(),
query('team_id').isAlphanumeric()
], validate, async (req, res) => {
await deleteInstallation(req, res);
});

router.delete('/slack/v1/installation/decline', auth, [
query('team_id').exists()
query('team_id').exists(),
query('team_id').isAlphanumeric()
], validate, async (req, res) => {
await deleteInstallation(req, res);
});
Expand Down
2 changes: 1 addition & 1 deletion tests/config.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -679,7 +679,7 @@ describe('Testing component association', () => {
.set('Authorization', `Bearer ${adminMasterAccountToken}`)
.send({
components: [
responseComponent1.body._id,
responseComponent1.body.component._id,
new mongoose.Types.ObjectId()
]
}).expect(404);
Expand Down
2 changes: 1 addition & 1 deletion tests/fixtures/db_api.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ export const teamInviteNoTeam = {

export const slack = {
_id: new mongoose.Types.ObjectId(),
team_id: 'TEAM_ID',
team_id: 'T00NZ',
user_id: 'USER_ID',
domain: domainId,
settings: {
Expand Down
38 changes: 19 additions & 19 deletions tests/slack.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should authorize installation', async () => {
//given
const installation = await buildInstallation('SHOULD_AUTHORIZE_DOMAIN', null);
const installation = await buildInstallation('T11NZ', null);

//test
const response = await request(app)
Expand Down Expand Up @@ -257,7 +257,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should NOT authorize installation - Admin is not owner', async () => {
//given
const installation = await buildInstallation('SHOULD_NOT_AUTHORIZE_DOMAIN', null);
const installation = await buildInstallation('T01Y', null);

//test
await request(app)
Expand Down Expand Up @@ -285,7 +285,7 @@ describe('Slack Installation', () => {
.set('Authorization', `Bearer ${adminMasterAccountToken}`)
.send({
domain: new mongoose.Types.ObjectId(),
team_id: 'team_id'
team_id: 'T04Y'
}).expect(404);
});

Expand All @@ -301,7 +301,7 @@ describe('Slack Installation', () => {
test('SLACK_SUITE - Should find bot', async () => {
//given
const installation = { ...mock1_slack_installation };
installation.team_id = 'T_FIND_BOT';
installation.team_id = 'T14NZ';
installation.bot_payload.app_id = 'TEST_FIND_BOT1';
await Services.createSlackInstallation(installation);

Expand All @@ -316,7 +316,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should NOT find bot - Not found', async () => {
await request(app)
.get('/slack/v1/findbot?enterprise_id=&team_id=NOT_FOUND')
.get('/slack/v1/findbot?enterprise_id=&team_id=T15NZ')
.set('Authorization', `Bearer ${generateToken('30s')}`)
.send().expect(404);
});
Expand All @@ -331,7 +331,7 @@ describe('Slack Installation', () => {
test('SLACK_SUITE - Should find installation', async () => {
//given
const installation = { ...mock1_slack_installation };
installation.team_id = 'T_FIND_INSTALL';
installation.team_id = 'T13NZ';
installation.installation_payload.app_id = 'TEST_FIND_INSTALLATION1';
await Services.createSlackInstallation(installation);

Expand All @@ -346,7 +346,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should NOT find installation - Not found', async () => {
await request(app)
.get('/slack/v1/findinstallation?enterprise_id=&team_id=NOT_FOUND')
.get('/slack/v1/findinstallation?enterprise_id=&team_id=T12NZ')
.set('Authorization', `Bearer ${generateToken('30s')}`)
.send().expect(404);
});
Expand All @@ -361,7 +361,7 @@ describe('Slack Installation', () => {
test('SLACK_SUITE - Should find installation (Admin)', async () => {
//given
const installation = { ...mock1_slack_installation };
installation.team_id = 'T_FIND_INSTALL_ADMIN';
installation.team_id = 'T10NZ';
installation.installation_payload.app_id = 'TEST_FIND_INSTALLATION2';
await Services.createSlackInstallation(installation);

Expand All @@ -377,7 +377,7 @@ describe('Slack Installation', () => {
test('SLACK_SUITE - Should delete not authorized installation', async () => {
//given
const installation = { ...mock1_slack_installation };
installation.team_id = 'T_DELETE_INSTALL';
installation.team_id = 'T04NZ';
installation.installation_payload.app_id = 'TEST_DELETE_INSTALLATION1';
await Services.createSlackInstallation(installation);

Expand All @@ -397,7 +397,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should delete NOT authorized installation', async () => {
//given
const installation = await buildInstallation('SHOULD_DELETE_AUTHORIZE_INSTALLATION', null);
const installation = await buildInstallation('T05NZ', null);

//test
await request(app)
Expand All @@ -412,7 +412,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should NOT delete installation - Not found', async () => {
await request(app)
.delete('/slack/v1/installation?enterprise_id=&team_id=NOT_FOUND')
.delete('/slack/v1/installation?enterprise_id=&team_id=T06NZ')
.set('Authorization', `Bearer ${generateToken('30s')}`)
.send().expect(404);
});
Expand All @@ -426,7 +426,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should unlink installation', async () => {
//given
const installation = await buildInstallation('SHOULD_UNLINK_INTEGRATION', null);
const installation = await buildInstallation('T02Y', null);
await authorizeInstallation(installation, domainId, adminMasterAccountToken);

//verify that
Expand All @@ -449,12 +449,12 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should unlink single installation from Multi Slack Installation', async () => {
//given - installation/authorization for Domain 1
const installation = await buildInstallation('MULTI_DOMAIN_TEAM_ID', null);
const installation = await buildInstallation('T03Y', null);
await authorizeInstallation(installation, domainId, adminMasterAccountToken);

//given - installation/authorization for Domain 2
const domainId2 = await createDomain('Domain 2');
const installation2 = await buildInstallation('MULTI_DOMAIN_TEAM_ID', null);
const installation2 = await buildInstallation('T03Y', null);
await request(app)
.post('/slack/v1/authorize')
.set('Authorization', `Bearer ${adminMasterAccountToken}`)
Expand Down Expand Up @@ -495,7 +495,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should decline installation', async () => {
//given
const installation = await buildInstallation('SHOULD_DECLINE_INTEGRATION', null);
const installation = await buildInstallation('T09NZ', null);

//test
await request(app)
Expand All @@ -511,7 +511,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should find Domains by Slack Team Id', async () => {
//given
const teamId = 'SLACK_INSTALLATION_DOMAINS';
const teamId = 'T01NZ';
const domainId2 = await createDomain('Domain 2 (findByTeamId)');
await buildInstallation(teamId, domainId2);

Expand All @@ -532,7 +532,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should find only authorized Domains by Slack Team Id', async () => {
//given
const teamId = 'SLACK_INSTALLATION_DOMAINS_NOT_AUTHORIZED';
const teamId = 'T02NZ';
const domainId = await createDomain('Domain 4 (findByTeamId)');
await buildInstallation(teamId, domainId); // authorized
await buildInstallation(teamId); // not authorized
Expand All @@ -557,7 +557,7 @@ describe('Slack Installation', () => {

test('SLACK_SUITE - Should NOT find Domains by Slack Team Id - Team Id not found', async () => {
await request(app)
.get('/slack/v1/domains?team_id=NOT_FOUND')
.get('/slack/v1/domains?team_id=T03NZ')
.set('Authorization', `Bearer ${generateToken('30s')}`)
.send().expect(404);
});
Expand Down Expand Up @@ -1046,7 +1046,7 @@ describe('Slack Route - Process Ticket', () => {
.post('/slack/v1/ticket/process')
.set('Authorization', `Bearer ${generateToken('30s')}`)
.send({
team_id: 'NOT_FOUND',
team_id: 'N0000NZ',
domain_id: domainId,
ticket_id: new mongoose.Types.ObjectId(),
approved: true
Expand Down