* MM-67372: Filter SVG images from OpenGraph metadata to prevent DoS
This commit adds server-side filtering of SVG images from OpenGraph
metadata to mitigate a DoS vulnerability where malicious SVG images
in og:image tags can crash Chromium-based browsers and Safari.
Changes:
- Add IsSVGImageURL() helper function in model package to detect SVG URLs
- Filter SVG images in parseOpenGraphMetadata() for regular HTML pages
- Filter SVG images in parseOpenGraphFromOEmbed() for oEmbed responses
- Add defense-in-depth filtering in TruncateOpenGraph() and getImagesForPost()
- Add comprehensive tests for all SVG filtering functionality
SVG detection is based on:
- File extension (.svg, .svgz) - case-insensitive
- MIME type (image/svg+xml)
Reference: https://issues.chromium.org/issues/40057345
* MM-67372: Filter SVG images from cache/DB and direct SVG URLs
This commit addresses remaining attack vectors for the SVG DoS vulnerability:
1. Cache/DB filtering: Apply TruncateOpenGraph when returning OpenGraph
from cache or database to filter stale data that was stored before
the initial fix was deployed.
2. Direct SVG URLs: Filter PostImage entries with Format="svg" to prevent
browser crashes when someone posts a direct link to an SVG file.
3. Embed creation: Skip creating image embeds for SVG images and create
link embeds instead.
4. New SVG detection: Return nil instead of creating PostImage when
fetching direct SVG URLs to prevent storing them in the database.
These changes ensure that even environments with pre-existing malicious
link metadata will be protected after a server restart.
* MM-67372: Fix test expectation for SVG image handling
* Removed duplicate logic in favor of already implemented FilterSVGImages in model
* Addressing PR comments
* Replacing exact match comparison with prefix check
* Added new test cases for unit tests
The reliance on ViewUsersRestrictions was causing a SQL bug, since the
original query did not join with the Users table. Instead, use
model.GroupSearchOpts to rely on AllowReference, which should be used to
filter the results in all cases, except when the user is a sysadmin (has
the PermissionSysconsoleReadUserManagementGroups permission).
Co-authored-by: Mattermost Build <build@mattermost.com>
This change allows admins to delete protected property fields when the source plugin has been uninstalled, providing a cleanup mechanism for orphaned fields. If a field has the protected attribute set to true, but the associated source plugin is not installed, an admin can remove that field from the admin console.
- Disable editing of protected fields in admin console and user profiles
- Show "Managed by: {pluginId}" indicator for protected fields in admin panel
- Disable dot menu button for protected fields in property management table
- Hide source_only fields from all user/profile views (user settings, profile popover, admin user management)
- source_only fields remain visible only in the field management configuration view
- Add i18n messages for protected field indicators
Updates all Custom Profile Attribute endpoints and app layer methods to pass caller user IDs through to the PropertyAccessService. This connects the access control service introduced in #34812 to the REST API, Plugin API, and internal app operations.
Also updates the OpenAPI spec to document the new field attributes (protected, source_plugin_id, access_mode) and adds notes about protected field restrictions.
Custom profile attributes (properties) in Mattermost need to support security-critical use cases like Attribute-Based Access Control (ABAC), external identity system synchronization, and privacy-preserving collaboration. Without access controls on these properties, any user or component could modify property fields and values, making them unsuitable for security decisions. Additionally, different properties require different visibility patterns - some need to be publicly readable, some should only be visible to their managing system, and some require privacy-preserving visibility where users can only see shared values.
This change introduces the PropertyAccessService, a wrapper around PropertyService that enforces access control for all property operations. This service is introduced in isolation and is not yet hooked up to the Plugin API, REST API, or app layer. It provides the foundation for a single enforcement point that will apply access restrictions consistently across all code paths once integrated.
Option IDs are automatically generated for fields in the REST API, but plugins creating fields directly don't get this behavior. This change makes option ID generation consistent by automatically generating IDs for all select/multiselect options, regardless of whether they're created via REST API or plugin code. The option IDs are generated (if necessary) in the store layer right before saving, which is the same place we generate Field IDs if they don't exist.
* Add the ability to patch channel autotranslations
* Fix lint
* Update docs
* Fix CI
* Fix CI
* Fix mmctl test
* Check whether the channel is translated for the user when checking user enabled
* Fix wrong uses of patch acrros e2e and frontend
* Fix test
* Fix wording
* Fix tests and column name
* Move group constrained test so they don't mess with the basic entities
* Fix patch sending too much information
* Add endpoint to update channel member autotranslations
* Add several improvements and remove unneeded functions
* Add user id to audit record
* Ensure autotranslation is defined
* Update texts
* Fix merge
* Add new column for channel member autotranslations (#35111)
* Minor renamings
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Ben Cooke <benkcooke@gmail.com>
This commit reverts PR #30214, which addressed bug MM-60790 but caused a
performance regression tracked by MM-66782.
This revert has two implications:
1. The performance issue is solved.
2. The original bug is re-introduced.
Re-introducing the original bug seems not to be ideal, but I argue that
the original PR did not actually fix the bug:
- Before that PR, looking for a quoted string would return additional
results: the UX was slightly confusing, because when the user looked
for the word "stateful", the results would contain matches like
"states" (see MM-60790).
- After that PR, looking for a quoted string can timeout, so that the
list of results becomes empty. The UX here may be less confusing,
since the user simply doesn't find what they're looking for, and they
may assume that string is not present in any post, but it's completely
wrong: the result list is empty because the SQL query timed out and
thus the endpoint returned 0 results.
The solution to the original issue should be addressed via
Elasticsearch, which should provide a more refined and precise search
results.
For more information on the investigation on this issue and the
motivation behind the revert, see
https://mattermost.atlassian.net/wiki/x/IYAk_w
Co-authored-by: Mattermost Build <build@mattermost.com>
* Adjust registerProduct to accept generic icon
* Undo unnecessary changes
* Anotha one
* Fix linting errors in product menu tests
- Fix jsx-quotes to use single quotes instead of double quotes
- Fix react/jsx-max-props-per-line by placing props on separate lines
- Fix react/jsx-no-literals by wrapping literal strings in JSX expression containers
- Fix react/jsx-wrap-multilines by wrapping multiline JSX in parentheses
- Fix react/jsx-closing-bracket-location for proper bracket alignment
* don't use snapshots or enzyme
* Fix pipelines?
* Allow building the server on FreeBSD
* Fix merge
---------
Co-authored-by: Erwan Martin <erwan@pepper.com>
Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
* Channel Info RHS: add rename-from-info and settings access
Add channel name editable area with pencil hover and wire to a lightweight Rename Channel modal; add Channel Settings item to RHS menu with permission checks; ensure navigation after rename uses relative path to avoid 404.
* linter changes
* add padding so field labels don't get cut off
* fixes for keyboard accessibility and tooltips
* don't show channel settings for DMs and GMs
* chore(i18n): run extract to reorder new keys and fix CI
Re-extracted webapp i18n to place newly added keys (editable tooltips and rename modal) in canonical order expected by translation tooling.
* use generic_btn.cancel/save for rename modal buttons
* chore(i18n): remove unused rename_channel.cancel/save keys
* updated tests to account for new elements in the info rhs
* add cypress test for new rhs info function
* fix linting issues
* fixed tests
* linter fixes
* tweak position of edit button
* style tweaks, remove subtitle from info rhs head (redundant now), update archived state
* added 'unarchive' button to archived notice, updated translations
* fixed tests that I broke in channel info header
* add url name to channel info view
* update to 'channel handle' instead of url name'
* change order of channel handle
* add copy button
* Update about_area_channel.test.tsx
* fixed test and brought back channel subtitle in header for consistency
* fixed header test
* make channel info rhs scrollable
* fix merge issue
* Fix lint
---------
Co-authored-by: yasserfaraazkhan <attitude3cena.yf@gmail.com>
This tells the TypeScript compiler (only used for type checking in the web app)
to use the `imports` and `exports` field of a package's `package.json` to find
modules. Those fields are standard in newer versions of Node.js, and hopefully
supporting them means that we'll have to do less work to configure tooling in
the future.
We could also get similar behaviour by using the `nodenext` option, but that
adds some additional requirements to include file extensions which ES Modules
technically require, but I don't think we need to enforce because other tooling
doesn't require them.
I wanted to make that change in all of the subpackages as well, but we can't do
that without having TypeScript output ES Modules which, unless we change their
build processes to generate multiple formats (like the shared package in
client package, or the types package which is more than I want to do at the
moment.
The changes to other files are either because they incorrectly imported types
from a file that isn't intentionally exposed by the plugin or it's because we
had a typo in a file path.
* Fix 500 errors on check-cws-connection in non-Cloud environments
The check-cws-connection endpoint was returning 500 errors in
self-hosted enterprise environments because:
1. The client only checked BuildEnterpriseReady before making the
request, which is true for all enterprise builds
2. The server handler didn't check for a Cloud license before
attempting to connect to CWS
3. The CWS URL is not configured in non-Cloud environments, causing
the connection check to fail
This fix:
- Server: Add IsCloud() license check to match other cloud endpoints,
returning 403 instead of 500 for non-Cloud licenses
- Client: Add Cloud license check to skip the request entirely in
non-Cloud environments
* Add unit tests for check-cws-connection license check
* Return JSON status from check-cws-connection endpoint
Change the check-cws-connection endpoint to return 200 with a JSON body
containing status (available/unavailable) instead of using HTTP error
codes. This allows the endpoint to be used for air-gap detection on
self-hosted instances, not just Cloud deployments.
* i18n
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* feat: run e2e full tests after successful smoke tests both in cypress and playwright
* fix lint check on jsdoc req in playwright test
* update smoke test filter
* update test filter for cypress tests
* update docker services, fix branch convention and rearrange secrets
* update e2e-test workflow docs
* reorganized
* fix lint
* fix playwright template
* fix results assertion
* add retest, e2e-test-verified, gh comments of failed tests, path filters, run e2e-tests check first and demote unstable tests
* run using master image for e2e-only changes, add ts/js actions for cypress and playwright calculations, add verified by label
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* MM-67279: Fix private channel enumeration via /mute slash command
Return the same error message when a user tries to mute a channel
they are not a member of as when the channel doesn't exist. This
prevents authenticated users from discovering private channels
by observing different error responses.
* update i18n
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* Improve rewrite menu guidance
Keep AI rewrite prompts visible on focus and clarify the empty-state instruction.
* Apply suggestions from code review
* Apply suggestion from @nickmisasi
* Fix rewrite menu test assertions
Update test expectations to match component string values after defaultMessage changes. Fix syntax error with unterminated string and correct placeholder text expectation.
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* Include last root, and most recent 10 posts in a thread with the rewrite system prompt
* Include user's names in the thread context for better reference
* Revert package-lock to master
* Fix tests
When the Type column was added to the Drafts table, it did not add a
DEFAULT value, so we need to handle the NULL values for the pre-existing
rows.
Co-authored-by: Mattermost Build <build@mattermost.com>
* [MM-66789] Fix arbitrary file read vulnerability in advanced logging
Add path validation to prevent reading files outside the logging root
directory via GetAdvancedLogs (used in support packet generation).
Security controls:
- Validate file paths are within logging root before reading
- Support MM_LOG_PATH environment variable to allow system admins
to configure a custom logging root directory
- Resolve symlinks to prevent bypass attacks
- Detect and block path traversal attempts
Also adds:
- Audit logging for support packet generation
- Config-time validation that logs errors for paths outside logging
root (will become blocking in future version)
- Comprehensive test coverage for path validation
* Update server/channels/app/platform/log_test.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix linter errors
* Update server/channels/api4/system.go
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>
* Simplify unit tests for platform/log_test.go by moving some test logic to config/logger_test.go
* Fix unit tests requiring logging root to be set
* enforce LogSettings.FileLocation path validation; simplify path checking
* fix linter errors
* use dir in logging root for all unit test logging
* MM_LOG_PATH is set once, centrally, for all tests
* fix flaky test
* fix flaky test
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>
* MM-67274: Fix panic in getBrowserVersion with empty User-Agent version
Refactor getBrowserVersion to use a table-driven approach that
centralizes bounds checking, preventing panic when User-Agent strings
contain identifiers like "Mattermost Mobile/" with no version token.
* Refactor user agent tests to use structured test cases
Move expected values into the testUserAgent struct for clarity,
making it easier to see what each test case expects at a glance.
