SECURITY: ensures mentioned_users is limited

Prior to this fix the number of users rendered by mentioned_users could equal the number of members in a channel which would be slow but could in more extreme case crash the page and/or server.
2023-11-17 16:08:22 +01:00 · 2023-11-17 16:08:22 +01:00 · fd4ff92892
parent fe10a3feab
commit fd4ff92892
4 changed files with 32 additions and 1 deletions
--- a/plugins/chat/app/serializers/chat/message_serializer.rb
+++ b/plugins/chat/app/serializers/chat/message_serializer.rb
@ -37,7 +37,7 @@ module Chat
    def mentioned_users
      object
        .chat_mentions
-        .includes(user: :user_status)
+        .limit(SiteSetting.max_mentions_per_chat_message)
        .map(&:user)
        .compact
        .sort_by(&:id)
--- a/plugins/chat/app/serializers/chat/thread_original_message_serializer.rb
+++ b/plugins/chat/app/serializers/chat/thread_original_message_serializer.rb
@ -18,6 +18,7 @@ module Chat
    def mentioned_users
      object
        .chat_mentions
+        .limit(SiteSetting.max_mentions_per_chat_message)
        .map(&:user)
        .compact
        .sort_by(&:id)
--- a/plugins/chat/spec/serializer/chat/chat_message_serializer_spec.rb
+++ b/plugins/chat/spec/serializer/chat/chat_message_serializer_spec.rb
@ -12,6 +12,15 @@ describe Chat::MessageSerializer do

  let(:guardian) { Guardian.new(guardian_user) }

+  describe "#mentioned_users" do
+    it "is limited by max_mentions_per_chat_message setting" do
+      Fabricate.times(2, :chat_mention, chat_message: message_1)
+      SiteSetting.max_mentions_per_chat_message = 1
+
+      expect(serializer.as_json[:mentioned_users].length).to eq(1)
+    end
+  end
+
  describe "#reactions" do
    fab!(:custom_emoji) { CustomEmoji.create!(name: "trout", upload: Fabricate(:upload)) }
    fab!(:reaction_1) do
--- a/plugins/chat/spec/serializer/chat/chat_thread_original_message_serializer_spec.rb
+++ b/plugins/chat/spec/serializer/chat/chat_thread_original_message_serializer_spec.rb
@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+describe Chat::ThreadOriginalMessageSerializer do
+  subject(:serializer) { described_class.new(message_1, scope: guardian, root: nil) }
+
+  fab!(:message_1) { Fabricate(:chat_message) }
+  fab!(:guardian_user) { Fabricate(:user) }
+
+  let(:guardian) { Guardian.new(guardian_user) }
+
+  describe "#mentioned_users" do
+    it "is limited by max_mentions_per_chat_message setting" do
+      Fabricate.times(2, :chat_mention, chat_message: message_1)
+      SiteSetting.max_mentions_per_chat_message = 1
+
+      expect(serializer.as_json[:mentioned_users].length).to eq(1)
+    end
+  end
+end