zulip/zerver/lib
Mateusz Mandera 6e11754642 CVE-2021-30478: Prevent API super users from forging messages to other organizations.
A bug in the implementation of the can_forge_sender permission
(previously is_api_super_user) resulted in users with this permission
being able to send messages appearing as if sent by a system bots,
including to other organizations hosted by the same Zulip installation.

- The send message API had a bug allowing an api super user to
  use forging to send messages to other realms' streams, as a
  cross-realm bot. We fix this most directly by eliminating the
  realm_str parameter - it is not necessary for any valid current use
  case. The email gateway doesn't use this API despite the comment in
  that block suggesting otherwise.
- The conditionals inside access_stream_for_send_message are changed up
  to improve security. They were generally not ordered very well,
  allowing the function to successfully return due to very weak
  acceptance conditions - skipping the higher importance checks that
  should lead to raising an error.
- The query count in test_subs is decreased because
  access_stream_for_send_message returns earlier when doing its check
  for a cross-realm bot sender - some subscription checking queries are
  skipped.
- A linkifier test in test_message_dict needs to be changed. It didn't
  make much sense in the first place, because it was creating a message
  by a normal user, to a stream outside of the user's realm. That
  shouldn't even be allowed.
2021-04-14 12:37:34 -07:00
..
markdown markdown: Remove logic for creating markdown engines for all realms. 2021-04-13 09:18:18 -07:00
url_preview mypy: Correct typing.re imports to typing. 2021-03-17 18:41:46 -07:00
webhooks webhooks: Fix spelling of milliseconds. 2021-03-05 12:22:50 -08:00
__init__.py
actions.py CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream. 2021-04-14 12:37:34 -07:00
addressee.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
alert_words.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
attachments.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
avatar.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
avatar_hash.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
bot_config.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
bot_lib.py embedded bot: Use server settings for storage_size_limit. 2021-04-04 18:05:30 -07:00
bot_storage.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
bulk_create.py migrations: Subscription.is_user_active denormalization - step one. 2021-03-30 09:19:03 -07:00
cache.py mute user: Cache list of muter IDs. 2021-04-13 09:08:47 -07:00
cache_helpers.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
camo.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
ccache.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
context_managers.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
create_user.py migrations: Subscription.is_user_active denormalization - step one. 2021-03-30 09:19:03 -07:00
data_types.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
db.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
debug.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
dev_ldap_directory.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
digest.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
display_recipient.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
domains.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
email_mirror.py requirements: Upgrade talon fork to 1.4.8. 2021-03-18 17:10:18 -07:00
email_mirror_helpers.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
email_notifications.py docs: Add a document explaining email/push notifications. 2021-03-05 15:24:25 -08:00
email_validation.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
emoji.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
error_notify.py actions: Remove realm argument to internal_send_stream_message. 2021-02-23 15:26:47 -08:00
event_schema.py linkifiers: Update API to send data using dictionaries. 2021-04-13 12:16:07 -07:00
events.py realm: Add setting to configure GIPHY rating. 2021-04-14 10:29:39 -07:00
exceptions.py api: Add REALM_DEACTIVATED error code. 2021-03-31 08:46:13 -07:00
export.py models/realm: Add a model for storing realm playground information. 2021-04-07 08:20:53 +05:30
external_accounts.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
fix_unreads.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
generate_test_data.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
github.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
home.py js: Convert static/js/page_params.js to ES6 module. 2021-03-26 10:17:56 -07:00
hotspots.py hotspots: Add TUTORIAL_ENABLED setting to toggle INTRO_HOTSPOTS. 2021-03-30 14:46:42 -07:00
html_diff.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
html_to_text.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
i18n.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
import_realm.py models/realm: Add a model for storing realm playground information. 2021-04-07 08:20:53 +05:30
initial_password.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
integrations.py docs(integrations): Document zoom video provider in /integrations. 2021-04-14 08:44:00 -07:00
logging_util.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
management.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
mdiff.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
mention.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
message.py mute user: Add some comments on message fetch. 2021-04-13 09:15:49 -07:00
migrate.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
mobile_auth_otp.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
name_restrictions.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
narrow.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
onboarding.py actions: Remove realm argument to internal_send_private_message. 2021-02-23 15:26:47 -08:00
outgoing_webhook.py CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream. 2021-04-14 12:37:34 -07:00
presence.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
profile.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
push_notifications.py docs: Add a document explaining email/push notifications. 2021-03-05 15:24:25 -08:00
pysa.py python: Sort imports with isort. 2020-06-11 16:45:32 -07:00
queue.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
rate_limiter.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
realm_description.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
realm_icon.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
realm_logo.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
redis_utils.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
remote_server.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
request.py request: Rename validator parameter of REQ to json_validator. 2021-04-07 14:13:06 -07:00
response.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
rest.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
retention.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
send_email.py emails: Truncate overly-long From fields for RFC compatibility. 2021-04-03 08:13:26 -07:00
server_initialization.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
sessions.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
soft_deactivation.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
sqlalchemy_utils.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
statistics.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
storage.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
stream_subscription.py stream_subscription: Remove opaque reference to guest role. 2021-04-13 21:49:57 -07:00
stream_topic.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
streams.py CVE-2021-30478: Prevent API super users from forging messages to other organizations. 2021-04-14 12:37:34 -07:00
subdomains.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
test_classes.py tests: Refactor check_has_permission_policies to check for all user roles. 2021-04-13 17:48:23 -07:00
test_console_output.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
test_data.source.txt docs: Capitalize Markdown consistently. 2020-08-11 10:23:06 -07:00
test_fixtures.py puppeteer_tests: Reset test environment after each run. 2021-03-25 12:58:36 -07:00
test_helpers.py docs: Add redirects for moved pages about stream archiving. 2021-04-02 22:08:15 -07:00
test_runner.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
tex.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
thumbnail.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
timeout.py timeout: Remove unnecessary varargs support. 2021-02-15 17:05:28 -08:00
timestamp.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
timezone.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
topic.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
topic_mutes.py topic_mutes: Filter deactivated streams from get_topic_mutes. 2021-03-30 12:11:35 -07:00
transfer.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
type_debug.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
types.py linkifiers: Use dictionaries for internal structures. 2021-04-05 18:16:08 -07:00
unminify.py unminify: Fix lookup if source map does not exist in disk. 2021-03-16 14:46:18 -07:00
upload.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
url_encoding.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
user_agent.py python: Reformat with Black, except quotes. 2021-02-12 13:11:19 -08:00
user_groups.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
user_mutes.py mute user: Cache list of muter IDs. 2021-04-13 09:08:47 -07:00
user_status.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
users.py realm: Add moderators and full members option in invite_to_realm_policy. 2021-04-07 09:05:16 -07:00
utils.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
validator.py custom profile fields: Rename "SELECT" field validator. 2021-03-24 12:54:51 -07:00
widget.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
zcommand.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00
zephyr.py python: Normalize quotes with Black. 2021-02-12 13:11:19 -08:00