search

laravel / reverb

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications.
https://reverb.laravel.com
MIT License
1.13k stars 91 forks source link

Everybody can send anything to any private channel without auth #272

Closed filzone closed 22 hours ago

filzone commented 2 days ago

Reverb Version

1.4.2

Laravel Version

11.x

PHP Version

8.2.x

Description

While listening messages on front from private channel - firstly connection is been checked by rules from channels.php

But everyone can send message to any channel without any check using whisper or Echo.connector.pusher.send_event methods

We can see that broadcasting reverb server will pass them without any auth check

And such problem can cause injections with bad things inside message... without any auth from WS server side

Summery: listening will be checked by rules from channels.php route file publishing - won't

PS: this is actual for reverb version from 1.0.0 to 1.4.2

Steps To Reproduce

  1. create rule for private channel in ./routes/channels.php file
  2. forbid it for any user
  3. run php artisan reverb:start --debug
  4. create simple nodejs app with laravel Echo
  5. run nodejs server
  6. try to listenToAll your private channel. expected and actual result: 403
  7. try to whisper to your private channel. expected: 403, actual - everything will be sent
crynobone commented 22 hours ago

https://laravel.com/docs/11.x/broadcasting#client-events

Based on the documentation, whisper is meant to be used for indicating typing etc.

crynobone commented 22 hours ago

Hey there,

While this may be a legitimate issue, can you first try posting your problem or question on one of the support channels below? If this issue can be definitively identified as a bug, feel free to open up a new issue with a link to the original one and we'll gladly help you out.

Thanks!

filzone commented 20 hours ago

I completely disagree with you.

you can spam "typing" or whisper any other messages to any private channels without auth

Imagine:

first thing: 2 people are chatting and see "3rd person is typing" and this person shouldn't be there - it's bad and weird scenario

second thing: via such behaviour you can "down" frontend app, i.e.: if "typing" event data is an object with some interface in typescript and such spam can cause a lot of problems for users

third thing: in backend code you allow any event started from "client" and no check for "client-typing" event.

If it's allowed for people to use whisper without any event purpose limit - so maybe whispering should be much more protected?