Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
41,660 Commits 28 Branches 142 Tags 697 MiB
Python 61.2%
TypeScript 15.8%
JavaScript 11.2%
HTML 4%
CSS 3.9%
Other 3.8%
Go to file
Mateusz Mandera 6e11754642 CVE-2021-30478: Prevent API super users from forging messages to other organizations. 
A bug in the implementation of the can_forge_sender permission
(previously is_api_super_user) resulted in users with this permission
being able to send messages appearing as if sent by a system bots,
including to other organizations hosted by the same Zulip installation.

- The send message API had a bug allowing an api super user to
  use forging to send messages to other realms' streams, as a
  cross-realm bot. We fix this most directly by eliminating the
  realm_str parameter - it is not necessary for any valid current use
  case. The email gateway doesn't use this API despite the comment in
  that block suggesting otherwise.
- The conditionals inside access_stream_for_send_message are changed up
  to improve security. They were generally not ordered very well,
  allowing the function to successfully return due to very weak
  acceptance conditions - skipping the higher importance checks that
  should lead to raising an error.
- The query count in test_subs is decreased because
  access_stream_for_send_message returns earlier when doing its check
  for a cross-realm bot sender - some subscription checking queries are
  skipped.
- A linkifier test in test_message_dict needs to be changed. It didn't
  make much sense in the first place, because it was creating a message
  by a normal user, to a stream outside of the user's realm. That
  shouldn't even be allowed.
 		2021-04-14 12:37:34 -07:00
.github ci: Add comments documenting building base images. 2021-04-13 10:33:47 -07:00
.tx cleanup: Delete trailing newlines. 2019-08-06 23:29:11 -07:00
analytics activity: Use realm owners, not realm administrators. 2021-04-08 17:47:23 -07:00
confirmation python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
corporate request: Rename validator parameter of REQ to json_validator. 2021-04-07 14:13:06 -07:00
docs docs: Update changelog for 3.3/3.4 releases. 2021-04-14 12:23:55 -07:00
frontend_tests top_left_corner: Directly use `span.unread_count` to display unreads. 2021-04-14 10:57:16 -07:00
locale i18n: Update translation data from Transifex. 2021-03-22 19:37:20 -07:00
pgroonga python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
puppet mypy: Fix strict_equality violations. 2021-04-13 09:18:18 -07:00
requirements requirements: Remove django-webpack-loader. 2021-04-06 09:31:35 -07:00
scripts install-node: Upgrade Node.js to 14.16.1 and nvm to 0.38.0. 2021-04-07 21:05:01 -07:00
static css: Delete orphaned starred messages CSS. 2021-04-14 11:50:07 -07:00
stubs requirements: Upgrade mypy to 0.790. 2020-11-12 15:44:30 -08:00
templates top_left_corner: Directly use `span.unread_count` to display unreads. 2021-04-14 10:57:16 -07:00
tools lint: Remove custom // spacing rule. 2021-04-13 17:45:59 -07:00
var/puppeteer puppeteer_tests: Port to TypeScript. 2021-02-22 16:03:10 -08:00
zerver CVE-2021-30478: Prevent API super users from forging messages to other organizations. 2021-04-14 12:37:34 -07:00
zilencer test users: Add an escape char to a test username. 2021-04-13 11:42:06 -07:00
zproject linkifiers: Update API to send data using dictionaries. 2021-04-13 12:16:07 -07:00
zthumbor python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
.browserslistrc browserslist: Drop 0.2% usage threshold to 0.15%. 2020-09-28 10:57:49 -07:00
.codecov.yml codecov: Change threshold to use percentage syntax. 2019-07-20 14:37:04 -07:00
.editorconfig lint: Add shfmt as a linter. 2020-10-15 15:16:00 -07:00
.eslintignore gitignore: Ignore zulip-thumbor-venv. 2021-03-04 18:06:21 -08:00
.eslintrc.json eslint: Enable sort-imports for member sorting. 2021-04-03 15:54:14 -07:00
.gitattributes Revert "gitattributes: Mark yarn.lock as "binary", i.e. suppress diffs." 2019-05-20 19:31:14 -07:00
.gitignore ci: Use general terms for CircleCI. 2021-03-16 14:56:43 -07:00
.gitlint lint: Re-enable imperative-mood checking. 2021-02-23 14:54:07 -08:00
.mailmap mailmap: Document Alya's old email address. 2021-04-01 11:24:03 -07:00
.npmignore
.prettierignore lint: Use Prettier for JSON files. 2020-07-24 09:42:56 -07:00
.pyre_configuration pysa: Update .pyre_configuration to point to typeshed. 2020-09-22 15:44:47 -07:00
.sonarcloud.properties tools: Configure Zulip to be scannable by SonarCloud. 2020-06-24 12:41:17 -07:00
.yarnrc .yarnrc: Set ignore-scripts true. 2019-08-28 16:15:54 -07:00
CODE_OF_CONDUCT.md docs: Remove dead link to citizencodeofconduct.org. 2021-04-09 12:10:42 -07:00
CONTRIBUTING.md docs: Mention GitHub sponsors in contributing guide. 2021-03-23 15:57:25 -07:00
Dockerfile-postgresql docs: Standardize on PostgreSQL, not Postgres. 2020-10-28 11:55:16 -07:00
LICENSE license: Move copyright notice from LICENSE to NOTICE. 2021-02-05 09:28:12 -08:00
NOTICE docs: Bump copyright year. 2021-02-05 09:28:15 -08:00
README.md readme: Add GitHub sponsors badge in README. 2021-03-23 15:56:46 -07:00
SECURITY.md docs: Fix more capitalization issues. 2020-10-23 11:46:55 -07:00
Vagrantfile vagrant: Add hyperV support to vagrant config. 2021-04-13 21:04:44 -07:00
babel.config.js i18n: Initialize FormatJS. 2021-04-13 17:41:10 -07:00
manage.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
mypy.ini mypy: Enable strict_equality. 2021-04-13 11:18:52 -07:00
package.json i18n: Remove i18next. 2021-04-13 17:41:10 -07:00
postcss.config.js styles: Use range context queries to eliminate *_max variables. 2021-02-05 09:23:59 -08:00
prettier.config.js casper: Remove few traces of casper. 2020-08-30 17:16:02 -07:00
pyproject.toml isort: Move configuration into pyproject.toml. 2021-03-04 18:03:30 -08:00
setup.cfg pycodestyle: Improve comments documenting excludes. 2021-02-12 13:11:25 -08:00
stylelint.config.js styles: Consistently use generic fallback font families. 2021-04-05 15:18:41 -07:00
tsconfig.json dependencies: Add ts-node. 2021-02-22 16:03:10 -08:00
version.py realm: Add setting to configure GIPHY rating. 2021-04-14 10:29:39 -07:00
webpack.config.ts Revert "templates: Add {{#let}} block helper." 2021-04-13 17:41:10 -07:00
yarn.lock i18n: Remove i18next. 2021-04-13 17:41:10 -07:00

README.md

Zulip overview

Zulip is a powerful, open source group chat application that combines the immediacy of real-time chat with the productivity benefits of threaded conversations. Zulip is used by open source projects, Fortune 500 companies, large standards bodies, and others who need a real-time chat system that allows users to easily process hundreds or thousands of messages a day. With over 700 contributors merging over 500 commits a month, Zulip is also the largest and fastest growing open source group chat project.

GitHub Actions build status coverage status Mypy coverage code style: black code style: prettier GitHub release docs Zulip chat Twitter GitHub Sponsors

Getting started

Click on the appropriate link below. If nothing seems to apply, join us on the Zulip community server and tell us what's up!

You might be interested in:

You may also be interested in reading our blog or following us on Twitter. Zulip is distributed under the Apache 2.0 license.