paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 14:03:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9d852870ee25c11ac7a714567058d94af37b1a1f
zulip/zerver/lib/outgoing_webhook.py
Mateusz Mandera 4235be759d CVE-2021-30477: Prevent outgoing webhook bots from sending arbitrary messages to any stream. 
A bug in the implementation of replies to messages sent by outgoing
webhooks to private streams meant that an outgoing webhook bot could be
used to send messages to private streams that the user was not intended
to be able to send messages to.

Completely skipping stream access check in check_message whenever the
sender is an outgoing webhook bot is insecure, as it might allow someone
with access to the bot's API key to send arbitrary messages to all
streams in the organization. The check is only meant to be bypassed in
send_response_message, where the stream message is only being sent
because someone mentioned the bot in that stream (and thus the bot
posting there is the desired outcome). We get much better control over
what's going by passing an explicit argument to check_message when
skipping the access check is desirable.
2021-04-14 12:37:34 -07:00

378 lines
14 KiB
Python
Raw Blame History

import abc
import json
import logging
from typing import Any, AnyStr, Dict, Optional
import requests
from django.utils.translation import ugettext as _
from requests import Response, Session
from version import ZULIP_VERSION
from zerver.decorator import JsonableError
from zerver.lib.actions import check_send_message
from zerver.lib.message import MessageDict
from zerver.lib.queue import retry_event
from zerver.lib.topic import get_topic_from_message_info
from zerver.lib.url_encoding import near_message_url
from zerver.models import (
GENERIC_INTERFACE,
SLACK_INTERFACE,
Service,
UserProfile,
email_to_domain,
get_client,
get_user_profile_by_id,
)
class OutgoingWebhookServiceInterface(metaclass=abc.ABCMeta):
def __init__(self, token: str, user_profile: UserProfile, service_name: str) -> None:
self.token: str = token
self.user_profile: UserProfile = user_profile
self.service_name: str = service_name
self.session: Session = Session()
self.session.headers.update(
{
"X-Smokescreen-Role": "webhook",
"User-Agent": "ZulipOutgoingWebhook/" + ZULIP_VERSION,
}
)
@abc.abstractmethod
def make_request(self, base_url: str, event: Dict[str, Any]) -> Optional[Response]:
raise NotImplementedError
@abc.abstractmethod
def process_success(self, response_json: Dict[str, Any]) -> Optional[Dict[str, Any]]:
raise NotImplementedError
class GenericOutgoingWebhookService(OutgoingWebhookServiceInterface):
def make_request(self, base_url: str, event: Dict[str, Any]) -> Optional[Response]:
"""
We send a simple version of the message to outgoing
webhooks, since most of them really only need
`content` and a few other fields. We may eventually
allow certain bots to get more information, but
that's not a high priority. We do send the gravatar
info to the clients (so they don't have to compute
it themselves).
"""
message_dict = MessageDict.finalize_payload(
event["message"],
apply_markdown=False,
client_gravatar=False,
keep_rendered_content=True,
)
request_data = {
"data": event["command"],
"message": message_dict,
"bot_email": self.user_profile.email,
"bot_full_name": self.user_profile.full_name,
"token": self.token,
"trigger": event["trigger"],
}
return self.session.post(base_url, json=request_data)
def process_success(self, response_json: Dict[str, Any]) -> Optional[Dict[str, Any]]:
if "response_not_required" in response_json and response_json["response_not_required"]:
return None
if "response_string" in response_json:
# We are deprecating response_string.
content = str(response_json["response_string"])
success_data = dict(content=content)
return success_data
if "content" in response_json:
content = str(response_json["content"])
success_data = dict(content=content)
if "widget_content" in response_json:
success_data["widget_content"] = response_json["widget_content"]
return success_data
return None
class SlackOutgoingWebhookService(OutgoingWebhookServiceInterface):
def make_request(self, base_url: str, event: Dict[str, Any]) -> Optional[Response]:
if event["message"]["type"] == "private":
failure_message = "Slack outgoing webhooks don't support private messages."
fail_with_message(event, failure_message)
return None
request_data = [
("token", self.token),
("team_id", event["message"]["sender_realm_str"]),
("team_domain", email_to_domain(event["message"]["sender_email"])),
("channel_id", event["message"]["stream_id"]),
("channel_name", event["message"]["display_recipient"]),
("timestamp", event["message"]["timestamp"]),
("user_id", event["message"]["sender_id"]),
("user_name", event["message"]["sender_full_name"]),
("text", event["command"]),
("trigger_word", event["trigger"]),
("service_id", event["user_profile_id"]),
]
return self.session.post(base_url, data=request_data)
def process_success(self, response_json: Dict[str, Any]) -> Optional[Dict[str, Any]]:
if "text" in response_json:
content = response_json["text"]
success_data = dict(content=content)
return success_data
return None
AVAILABLE_OUTGOING_WEBHOOK_INTERFACES: Dict[str, Any] = {
GENERIC_INTERFACE: GenericOutgoingWebhookService,
SLACK_INTERFACE: SlackOutgoingWebhookService,
}
def get_service_interface_class(interface: str) -> Any:
if interface not in AVAILABLE_OUTGOING_WEBHOOK_INTERFACES:
return AVAILABLE_OUTGOING_WEBHOOK_INTERFACES[GENERIC_INTERFACE]
else:
return AVAILABLE_OUTGOING_WEBHOOK_INTERFACES[interface]
def get_outgoing_webhook_service_handler(service: Service) -> Any:
service_interface_class = get_service_interface_class(service.interface_name())
service_interface = service_interface_class(
token=service.token, user_profile=service.user_profile, service_name=service.name
)
return service_interface
def send_response_message(
bot_id: int, message_info: Dict[str, Any], response_data: Dict[str, Any]
) -> None:
"""
bot_id is the user_id of the bot sending the response
message_info is used to address the message and should have these fields:
type - "stream" or "private"
display_recipient - like we have in other message events
topic - see get_topic_from_message_info
response_data is what the bot wants to send back and has these fields:
content - raw Markdown content for Zulip to render
WARNING: This function sends messages bypassing the stream access check
for the bot - so use with caution to not call this in codepaths
that might let someone send arbitrary messages to any stream through this.
"""
message_type = message_info["type"]
display_recipient = message_info["display_recipient"]
try:
topic_name: Optional[str] = get_topic_from_message_info(message_info)
except KeyError:
topic_name = None
bot_user = get_user_profile_by_id(bot_id)
realm = bot_user.realm
client = get_client("OutgoingWebhookResponse")
content = response_data.get("content")
assert content
widget_content = response_data.get("widget_content")
if message_type == "stream":
message_to = [display_recipient]
elif message_type == "private":
message_to = [recipient["email"] for recipient in display_recipient]
else:
raise JsonableError(_("Invalid message type"))
check_send_message(
sender=bot_user,
client=client,
message_type_name=message_type,
message_to=message_to,
topic_name=topic_name,
message_content=content,
widget_content=widget_content,
realm=realm,
skip_stream_access_check=True,
)
def fail_with_message(event: Dict[str, Any], failure_message: str) -> None:
bot_id = event["user_profile_id"]
message_info = event["message"]
content = "Failure! " + failure_message
response_data = dict(content=content)
send_response_message(bot_id=bot_id, message_info=message_info, response_data=response_data)
def get_message_url(event: Dict[str, Any]) -> str:
bot_user = get_user_profile_by_id(event["user_profile_id"])
message = event["message"]
realm = bot_user.realm
return near_message_url(
realm=realm,
message=message,
)
def notify_bot_owner(
event: Dict[str, Any],
status_code: Optional[int] = None,
response_content: Optional[AnyStr] = None,
failure_message: Optional[str] = None,
exception: Optional[Exception] = None,
) -> None:
message_url = get_message_url(event)
bot_id = event["user_profile_id"]
bot = get_user_profile_by_id(bot_id)
bot_owner = bot.bot_owner
assert bot_owner is not None
notification_message = f"[A message]({message_url}) to your bot @_**{bot.full_name}** triggered an outgoing webhook."
if exception:
notification_message += (
"\nWhen trying to send a request to the webhook service, an exception "
f"of type {type(exception).__name__} occurred:\n```\n{exception}\n```"
)
elif failure_message:
notification_message += "\n" + failure_message
elif status_code == 407:
notification_message += (
"\nThe URL configured for the webhook is for a private or disallowed network."
)
elif status_code:
notification_message += f"\nThe webhook got a response with status code *{status_code}*."
if response_content:
notification_message += (
f"\nThe response contains the following payload:\n```\n{response_content!r}\n```"
)
message_info = dict(
type="private",
display_recipient=[dict(email=bot_owner.email)],
)
response_data = dict(content=notification_message)
send_response_message(bot_id=bot_id, message_info=message_info, response_data=response_data)
def request_retry(event: Dict[str, Any], failure_message: Optional[str] = None) -> None:
def failure_processor(event: Dict[str, Any]) -> None:
"""
The name of the argument is 'event' on purpose. This argument will hide
the 'event' argument of the request_retry function. Keeping the same name
results in a smaller diff.
"""
bot_user = get_user_profile_by_id(event["user_profile_id"])
fail_with_message(event, "Bot is unavailable")
notify_bot_owner(event, failure_message=failure_message)
logging.warning(
"Maximum retries exceeded for trigger:%s event:%s",
bot_user.email,
event["command"],
)
retry_event("outgoing_webhooks", event, failure_processor)
def process_success_response(
event: Dict[str, Any], service_handler: Any, response: Response
) -> None:
try:
response_json = json.loads(response.text)
except json.JSONDecodeError:
fail_with_message(event, "Invalid JSON in response")
return
success_data = service_handler.process_success(response_json)
if success_data is None:
return
content = success_data.get("content")
if content is None or content.strip() == "":
return
widget_content = success_data.get("widget_content")
bot_id = event["user_profile_id"]
message_info = event["message"]
response_data = dict(content=content, widget_content=widget_content)
send_response_message(bot_id=bot_id, message_info=message_info, response_data=response_data)
def do_rest_call(
base_url: str,
event: Dict[str, Any],
service_handler: OutgoingWebhookServiceInterface,
) -> Optional[Response]:
"""Returns response of call if no exception occurs."""
try:
response = service_handler.make_request(
base_url,
event,
)
if not response:
return None
if str(response.status_code).startswith("2"):
try:
process_success_response(event, service_handler, response)
except JsonableError as e:
response_message = e.msg
logging.info("Outhook trigger failed:", stack_info=True)
fail_with_message(event, response_message)
response_message = f"The outgoing webhook server attempted to send a message in Zulip, but that request resulted in the following error:\n> {e}"
notify_bot_owner(event, failure_message=response_message)
return None
else:
logging.warning(
"Message %(message_url)s triggered an outgoing webhook, returning status "
'code %(status_code)s.\n Content of response (in quotes): "'
'%(response)s"',
{
"message_url": get_message_url(event),
"status_code": response.status_code,
"response": response.text,
},
)
failure_message = f"Third party responded with {response.status_code}"
fail_with_message(event, failure_message)
notify_bot_owner(event, response.status_code, response.content)
return response
except requests.exceptions.Timeout:
logging.info(
"Trigger event %s on %s timed out. Retrying",
event["command"],
event["service_name"],
)
failure_message = "A timeout occurred."
request_retry(event, failure_message=failure_message)
return None
except requests.exceptions.ConnectionError:
logging.info(
"Trigger event %s on %s resulted in a connection error. Retrying",
event["command"],
event["service_name"],
)
failure_message = "A connection error occurred. Is my bot server down?"
request_retry(event, failure_message=failure_message)
return None
except requests.exceptions.RequestException as e:
response_message = (
f"An exception of type *{type(e).__name__}* occurred for message `{event['command']}`! "
"See the Zulip server logs for more information."
)
logging.exception("Outhook trigger failed:", stack_info=True)
fail_with_message(event, response_message)
notify_bot_owner(event, exception=e)
return None
Reference in New Issue View Git Blame Copy Permalink