Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MM-53425]: Added additional checks for POST type APIs #209

Merged
merged 7 commits into from
Sep 14, 2023

Conversation

Kshitij-Katiyar
Copy link
Contributor

Summary

Added additional checks for POST type APIs in todo plugin.

* [MI-3240]:Fixed security issue [MM-53425] of TODO plugin

* [MI-3240]:Fixed review comments
@Kshitij-Katiyar Kshitij-Katiyar requested a review from larkox as a code owner July 5, 2023 11:24
@mattermost-build
Copy link

Hello @Kshitij-Katiyar,

Thanks for your pull request! A Core Committer will review your pull request soon. For code contributions, you can learn more about the review process here.

@larkox larkox requested a review from mickmister July 7, 2023 09:30
server/plugin.go Outdated Show resolved Hide resolved
server/plugin.go Outdated Show resolved Hide resolved
@codecov-commenter
Copy link

codecov-commenter commented Jul 11, 2023

Codecov Report

Patch coverage has no change and project coverage change: -0.45% ⚠️

Comparison is base (0c4dbfb) 6.87% compared to head (1d4678e) 6.42%.

Additional details and impacted files
@@            Coverage Diff            @@
##           master    #209      +/-   ##
=========================================
- Coverage    6.87%   6.42%   -0.45%     
=========================================
  Files          10      11       +1     
  Lines        1600    1712     +112     
=========================================
  Hits          110     110              
- Misses       1482    1594     +112     
  Partials        8       8              
Files Changed Coverage Δ
server/plugin.go 0.00% <0.00%> (ø)
server/serializer.go 0.00% <0.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hanzei hanzei added the 2: Dev Review Requires review by a core committer label Jul 12, 2023
Copy link
Contributor

@hanzei hanzei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a recovery handler would further strengthen the codebase and protect against similar issues in the future. Is that something we can include in this PR?

server/plugin.go Outdated Show resolved Hide resolved
server/plugin.go Outdated Show resolved Hide resolved
@hanzei
Copy link
Contributor

hanzei commented Jul 13, 2023

@Kshitij-Katiyar Could you please link the connected JIRA ticket in the PR description?

@Kshitij-Katiyar Kshitij-Katiyar requested a review from hanzei July 13, 2023 12:07
@mickmister
Copy link
Contributor

Can we add a recovery handler to handle all API routes? Like it's done in the GitHub plugin here: https://github.com/mattermost/mattermost-plugin-github/blob/a336ac3f66347aca7b47963e89570024b184cdfd/server/plugin/api.go#L122

@mkdbns
Copy link

mkdbns commented Jul 14, 2023

@Kshitij-Katiyar Could you please link the connected JIRA ticket in the PR description?

@hanzei , @Kshitij-Katiyar doesn't yet have access to JIRA. I'm posting for him below:

https://mattermost.atlassian.net/browse/MM-53425

* [MI-3276]:Added recovery handler and CheckAuth middleware

* [MI-3276]:Fixed review comments
@Kshitij-Katiyar
Copy link
Contributor Author

@mickmister @hanzei Added recovery handler middleware and there was also no middleware present to check for Mattermost-User-ID ,so i have created that as well in this PR only.

webapp/src/actions.js Show resolved Hide resolved
server/plugin.go Outdated Show resolved Hide resolved
@Kshitij-Katiyar Kshitij-Katiyar requested a review from hanzei July 20, 2023 15:43
@hanzei hanzei removed their request for review August 1, 2023 18:49
@Kshitij-Katiyar Kshitij-Katiyar requested a review from hanzei August 7, 2023 10:07
@hanzei hanzei removed their request for review August 7, 2023 14:25
@Kshitij-Katiyar Kshitij-Katiyar requested a review from hanzei August 7, 2023 15:43
* [MI-3423]: Added checks for every post API body

* [MI-3423]:Fixed review comments

* [MI-3423]:Fixed review comments
@Kshitij-Katiyar Kshitij-Katiyar requested a review from hanzei August 29, 2023 11:00
Comment on lines 52 to 62
func IsAddIssuePayloadValid(a *AddAPIRequest) error {
if a == nil {
return errors.New("invalid request body")
}

if a.Message == "" {
return errors.New("message is required")
}

return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this a method and simplify the name to IsValid

Suggested change
func IsAddIssuePayloadValid(a *AddAPIRequest) error {
if a == nil {
return errors.New("invalid request body")
}
if a.Message == "" {
return errors.New("message is required")
}
return nil
}
func (a *AddAPIRequest) IsValid error {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hanzei The reason why i was not able to do this because of the nill check as in the change you have suggested, We wont be able to access the functions of AddAPIRequest if it is already nill and will panic everytime.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can have a nil check in a method with a pointer receiver.

server/serializer.go Show resolved Hide resolved
@Kshitij-Katiyar Kshitij-Katiyar requested a review from hanzei August 30, 2023 12:43
Copy link
Contributor

@hanzei hanzei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome 🎉

@hanzei hanzei removed the 2: Dev Review Requires review by a core committer label Aug 30, 2023
@hanzei
Copy link
Contributor

hanzei commented Aug 30, 2023

@DHaussermann Do you want to smoke test the PR?

@AayushChaudhary0001
Copy link

Tested and Passed

  • This PR has been tested on MM version 8.1.2 and everything was found working fine.
  • All the edge cases were covered in this PR.
  • Accepting, bumping, listing and editing the issue were found working.
  • All the possible values for edge cases were covered during the testing.

LGTM!

@mickmister mickmister merged commit a309a7a into mattermost-community:master Sep 14, 2023
4 checks passed
@Kshitij-Katiyar Kshitij-Katiyar mentioned this pull request Sep 15, 2023
@hanzei hanzei added the 4: Reviews Complete All reviewers have approved the pull request label Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
4: Reviews Complete All reviewers have approved the pull request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants