search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.4k stars 10.51k forks source link

logoutCleanup does not need to send whole user object when called #18183

Closed grahamsmith closed 4 years ago

grahamsmith commented 4 years ago

Description:

When a user logs out of Rocket Chat, a message is sent upstream via the web socket that includes the entire User object payload. After investigation, all current listeners do not take the user object and ignore it.

For security based installations of Rocket Chat the amount of data is hard to inspect and validate.

Steps to reproduce:

  1. Logout of Rocket Chat
  2. Inspect Web Socket traffic and see the whole user object get sent with the method logoutCleanup.
  3. The server side logic invokes post logout callbacks that ignore the provided user object.

Expected behaviour:

The user object is not required in this call.

Actual behavior:

https://github.com/RocketChat/Rocket.Chat/blob/d53e264b83ccc971236123853e4b68c9eb6beeb4/server/methods/logoutCleanUp.js

app/ui-utils/client/lib/RoomManager.js callbacks.add('afterLogoutCleanUp', () => RoomManager.closeAllRooms()

app/ui-master/client/main.js callbacks.add('afterLogoutCleanUp', () => customScriptsOnLogout()

app/ui-utils/client/lib/popout.js callbacks.add('afterLogoutCleanUp', () => popout.close(), callbacks.priority.MEDIUM, 'popout-close-after-logout-cleanup');

app/ui/client/lib/iframeCommands.js

Notice here how callbacks.run('afterLogoutCleanUp', user); is called but Meteor.call('logoutCleanUp', user); calls the same function internally too.

'logout'() {
        const user = Meteor.user();
        Meteor.logout(() => {
            callbacks.run('afterLogoutCleanUp', user);
            Meteor.call('logoutCleanUp', user);
            return FlowRouter.go('home');
        });
    },

Server Setup Information:

Client Setup Information

Additional context

N/A

Relevant logs:

N/A

close-issue-app[bot] commented 4 years ago

This issue was closed because it does not use any of our issue templates. Please make sure to use one of the suggested templates.

Sing-Li commented 4 years ago

some bug in template identification?

close-issue-app[bot] commented 4 years ago

This issue was closed because it does not use any of our issue templates. Please make sure to use one of the suggested templates.

Sing-Li commented 4 years ago

Attempt #2.

close-issue-app[bot] commented 4 years ago

This issue was closed because it does not use any of our issue templates. Please make sure to use one of the suggested templates.