fix: prevent cross-room data exposure via query parameter injection by abhayguptas · Pull Request #39453 · RocketChat/Rocket.Chat

abhayguptas · 2026-03-08T09:56:04Z

Proposed changes

Problem

When ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS=TRUE is enabled, users can inject a custom query parameter that overrides the room ID (rid) filter in API endpoints, allowing cross-room data exposure.

Vulnerable Code Locations

im.ts: Messages endpoint query merge
channels.ts: Messages and Files endpoints query merge
groups.ts: Messages and Files endpoints query merge

Solution

Strip protected keys (rid) from user-supplied query before merging with server-enforced constraints.

Files Changed

apps/meteor/app/api/server/v1/im.ts
apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/groups.ts

Tests Added

apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

Issue(s)

#39452

Steps to test or reproduce

Enable ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS=TRUE
As authenticated user, call /api/v1/im.messages with query={"rid":"other-room-id"}
Before fix: Can access messages from other rooms
After fix: Request is rejected, rid is enforced

Summary by CodeRabbit

Bug Fixes
- Message and file endpoints for channels, groups, and direct messages now enforce the server-determined room ID; incoming query parameters can no longer override it. Other user-supplied filters (mentions, starred, pinned, etc.) are retained.
Tests
- Added unit tests that validate the secure query-merge behavior and illustrate the prior vulnerable pattern where a user-provided room ID could take precedence.

…njection - Strip rid from user query before merging with server constraints - Fix vulnerable query merge patterns in im, channels, and groups APIs - Add unit tests for query merge security

dionisio-bot · 2026-03-08T09:56:08Z

Looks like this PR is not ready to merge, because of the following issues:

This PR is missing the 'stat: QA assured' label
This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

changeset-bot · 2026-03-08T09:56:08Z

⚠️ No Changeset found

Latest commit: e018794

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

coderabbitai · 2026-03-08T09:56:34Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7290de14-d3d9-43a8-89c2-fab4c63ef25f

📥 Commits

Reviewing files that changed from the base of the PR and between 74f5c57 and e018794.

📒 Files selected for processing (1)

apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

Walkthrough

Prevents user-supplied rid from overriding server-determined room IDs by filtering out rid from incoming queries and explicitly setting rid to the route's room id across channels, groups, and IM file/message endpoints; adds tests demonstrating secure vs. vulnerable merge patterns.

Changes

Cohort / File(s)	Summary
API Route Security Fixes (channels/groups/im) `apps/meteor/app/api/server/v1/channels.ts`, `apps/meteor/app/api/server/v1/groups.ts`, `apps/meteor/app/api/server/v1/im.ts`	Changed query assembly in messages and files routes to remove any `rid` from the incoming query and explicitly set `rid` to the server-determined room id, preventing client-supplied `rid` from overriding route context.
Query Merge Security Tests `apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts`	Added unit tests illustrating secure merge (filters out user `rid`) vs. vulnerable merge (allows user `rid` to override), validating behavior and preserving other query fields.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant API as API Route\n(v1 messages/files)
  participant DB as Database
  rect rgba(200,200,255,0.5)
    Client->>API: Request with query (may include `rid`)
    API->>API: Filter out `rid` from query\nSet `rid` = server room id
    API->>DB: Query with authoritative `rid` + other filters
    DB-->>API: Return messages/files
    API-->>Client: Respond with results
  end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main security fix: preventing cross-room data exposure via query parameter injection, which is the primary change throughout the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

cubic-dev-ai

2 issues found across 4 files

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts">

<violation number="1" location="apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts:7">
P2: Security spec validates locally recreated merge logic rather than real API handlers, so it may miss regressions in production query-merging code.</violation>

<violation number="2" location="apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts:20">
P2: The vulnerable merge helper uses safe precedence, making the vulnerability assertion incorrect and causing a contradictory/failing test.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

coderabbitai

🧹 Nitpick comments (1)

apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts (1)

1-3: Remove unused imports.

proxyquire and sinon are imported but not used in these tests. The tests only use chai's expect.

🧹 Proposed fix to remove unused imports

 import { expect } from 'chai';
-import proxyquire from 'proxyquire';
-import sinon from 'sinon';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts`
around lines 1 - 3, The test file currently imports proxyquire and sinon but
never uses them; remove the unused imports by editing the import statements so
only chai's expect is imported (keep the symbol expect and remove proxyquire and
sinon references), ensuring there are no leftover references to proxyquire or
sinon elsewhere in queryMergeSecurity.spec.ts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts`:
- Around line 1-3: The test file currently imports proxyquire and sinon but
never uses them; remove the unused imports by editing the import statements so
only chai's expect is imported (keep the symbol expect and remove proxyquire and
sinon references), ensuring there are no leftover references to proxyquire or
sinon elsewhere in queryMergeSecurity.spec.ts.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7b3a54bf-8787-4dcb-9ff4-e35f89cf4393

📥 Commits

Reviewing files that changed from the base of the PR and between 4f43a85 and 74f5c57.

📒 Files selected for processing (4)

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/groups.ts
apps/meteor/app/api/server/v1/im.ts
apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/im.ts
apps/meteor/app/api/server/v1/groups.ts
apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

🧠 Learnings (17)

📓 Common learnings

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: The im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). Constructing slug-like identifiers like `user2${Users.userE2EE.data.username}` doesn't work for this endpoint.

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: In Rocket.Chat test files, the im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). It does not accept slug-like constructions such as concatenating usernames together.

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/im.ts
apps/meteor/app/api/server/v1/groups.ts

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts

📚 Learning: 2026-01-26T18:26:01.279Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38227
File: apps/meteor/app/api/server/router.ts:44-49
Timestamp: 2026-01-26T18:26:01.279Z
Learning: In apps/meteor/app/api/server/router.ts, when retrieving bodyParams and queryParams from the Hono context via c.get(), do not add defensive defaults (e.g., ?? {}). The code should fail fast if these parameters are missing, as endpoint handlers expect them to be present and breaking here helps surface parsing problems rather than hiding them.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/im.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/im.ts
apps/meteor/app/api/server/v1/groups.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/im.ts
apps/meteor/app/api/server/v1/groups.ts
apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

apps/meteor/app/api/server/v1/channels.ts
apps/meteor/app/api/server/v1/im.ts
apps/meteor/app/api/server/v1/groups.ts
apps/meteor/tests/unit/app/api/server/helpers/queryMergeSecurity.spec.ts

📚 Learning: 2025-09-16T13:33:49.237Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: In Rocket.Chat test files, the im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). It does not accept slug-like constructions such as concatenating usernames together.

Applied to files:

apps/meteor/app/api/server/v1/im.ts