[BUG]: 越权漏洞 || [BUG]: Overreach vulnerability

[winter1215]

可能存在越权漏洞,如果我知道别人的 converId 和 msgId, 调用这个 api,可以拿个别人的聊天记录片段,进而获取到整个对话,可能修复下列代码 todo 标记的地方?

async fetchNearbyMessage(
    ctx: TcContext<{
      converseId: string;
      messageId: string;
      num?: number;
    }>
  ) {
    const { converseId, messageId, num = 5 } = ctx.params;
    const { t } = ctx.meta;
    const message = await this.adapter.model
      .findOne({
        _id: new Types.ObjectId(messageId),
        converseId: new Types.ObjectId(converseId),
      })
      .limit(1)
      .exec();

    if (!message) {
      throw new DataNotFoundError(t('没有找到消息'));
    }
// todo: 此处应该检验 loginUserId 是否在这个 converse 中

    const [prev, next] = await Promise.all([
      this.adapter.model
        .find({
          _id: {
            $lt: new Types.ObjectId(messageId),
          },
          converseId: new Types.ObjectId(converseId),
        })
        .sort({ _id: -1 })
        .limit(num)
        .exec()
        .then((arr) => arr.reverse()),
      this.adapter.model
        .find({
          _id: {
            $gt: new Types.ObjectId(messageId),
          },
          converseId: new Types.ObjectId(converseId),
        })
        .sort({ _id: 1 })
        .limit(num)
        .exec(),
    ]);

    console.log({ prev, next });

    return this.transformDocuments(ctx, {}, [...prev, message, ...next]);
  }
<!--This is a translation content dividing line, the content below is generated by machine, please do not modify the content below-->
---
There may be an overreach vulnerability. If I know someone else’s converId and msgId, I can call this api to get a fragment of someone’s chat history, and then get the entire conversation. Maybe fix the todo mark in the following code?
```typescript
async fetchNearbyMessage(
    ctx: TcContext<{
      converseId: string;
      messageId: string;
      num?: number;
    }>
  ) {
    const { converseId, messageId, num = 5 } = ctx.params;
    const { t } = ctx. meta;
    const message = await this.adapter.model
      .findOne({
        _id: new Types. ObjectId(messageId),
        converseId: new Types. ObjectId(converseId),
      })
      .limit(1)
      .exec();

    if (!message) {
      throw new DataNotFoundError(t('No message found'));
    }
// todo: here should check whether loginUserId is in this converse

    const [prev, next] = await Promise. all([
      this.adapter.model
        .find({
          _id: {
            $lt: new Types. ObjectId(messageId),
          },
          converseId: new Types. ObjectId(converseId),
        })
        .sort({ _id: -1 })
        .limit(num)
        .exec()
        .then((arr) => arr.reverse()),
      this.adapter.model
        .find({
          _id: {
            $gt: new Types. ObjectId(messageId),
          },
          converseId: new Types. ObjectId(converseId),
        })
        .sort({ _id: 1 })
        .limit(num)
        .exec(),
    ]);

    console. log({ prev, next });

    return this. transformDocuments(ctx, {}, [...prev, message, ...next]);
  }

[moonrailgun]

确实存在这个可能性，不过这个会话可能是群组会话也可能是私信会话，为了判断是否在会话中可能需要额外传递一个groupId。

请问你有兴趣修复一下这个问题么？

---

This possibility does exist, but this session may be a group session or a private message session. In order to determine whether it is in the session, an additional groupId may need to be passed.

Are you interested in fixing this issue?

[winter1215]

感谢回复,我不太擅长 ts,水平仅仅停留在能看懂代码的阶段

---

Thanks for the reply, I am not very good at ts, my level is only at the stage of being able to understand the code

[moonrailgun]

好的，我有时间会处理一下该问题

---

Ok, I'll take care of that when I have time

[winter1215]

你好,发现一个更严重的 越权 bug, 在 sendMessage 的 api 中
现象: 可以给任何未加入的会话发送消息,已通过测试
修改建议: 在发送消息时判断用户是否拥有权限

---

Hello, I found a more serious overreach bug in the api of sendMessage
Phenomenon: Messages can be sent to any unjoined session, and the test has been passed
Suggested modification: Determine whether the user has permission when sending a message