widgets: Check sender of submessage before widgetizing.

We refuse to activate a widget if the first submessage event doesn't have the same sender as the message's sender.
2025-11-04 05:53:43 +00:00 · 2021-06-14 22:46:15 +00:00
parent 33793a3a07
commit b62d71cf23
2 changed files with 27 additions and 0 deletions
--- a/frontend_tests/node_tests/submessage.js
+++ b/frontend_tests/node_tests/submessage.js
@@ -4,6 +4,7 @@ const {strict: assert} = require("assert");

 const {mock_esm, zrequire} = require("../zjsunit/namespace");
 const {run_test} = require("../zjsunit/test");
+const blueslip = require("../zjsunit/zblueslip");

 const channel = mock_esm("../../static/js/channel");
 const message_store = mock_esm("../../static/js/message_store");
@@ -66,6 +67,27 @@ run_test("make_server_callback", () => {
    assert.ok(was_posted);
 });

+run_test("check sender", (override) => {
+    const message_id = 101;
+
+    const message = {
+        id: message_id,
+        sender_id: 1,
+        submessages: [{sender_id: 2, content: "{}"}],
+    };
+
+    override(message_store, "get", (arg) => {
+        assert.equal(arg, message_id);
+        return message;
+    });
+
+    blueslip.expect("warn", "User 2 tried to hijack message 101");
+
+    submessage.process_submessages({
+        message_id,
+    });
+});
+
 run_test("handle_event", () => {
    const message = {
        id: 42,
--- a/static/js/submessage.js
+++ b/static/js/submessage.js
@@ -51,6 +51,11 @@ export function do_process_submessages(in_opts) {
        return;
    }

+    if (events[0].sender_id !== message.sender_id) {
+        blueslip.warn(`User ${events[0].sender_id} tried to hijack message ${message.id}`);
+        return;
+    }
+
    const row = in_opts.row;

    // Right now, our only use of submessages is widgets.