security: enforce channel membership check in handleTopic
All checks were successful
check / check (push) Successful in 1m14s
All checks were successful
check / check (push) Successful in 1m14s
handleTopic did not verify that the requesting user was a member of the channel before allowing them to set a topic. Any authenticated user could set the topic on any channel they hadn't joined. Add an IsChannelMember check after resolving the channel and before calling executeTopic, mirroring the existing pattern in handleChannelMsg. Non-members now receive ERR_NOTONCHANNEL (442). Add TestTopicNonMember to verify the fix.
This commit is contained in:
user
@@ -1134,6 +1134,42 @@ func TestTopicMissingBody(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestTopicNonMember(t *testing.T) {
|
||||
tserver := newTestServer(t)
|
||||
aliceToken := tserver.createSession("alice_topic")
|
||||
bobToken := tserver.createSession("bob_topic")
|
||||
|
||||
// Only alice joins the channel.
|
||||
tserver.sendCommand(aliceToken, map[string]any{
|
||||
commandKey: joinCmd, toKey: "#topicpriv",
|
||||
})
|
||||
|
||||
// Drain bob's initial messages.
|
||||
_, lastID := tserver.pollMessages(bobToken, 0)
|
||||
|
||||
// Bob tries to set topic without joining.
|
||||
status, _ := tserver.sendCommand(
|
||||
bobToken,
|
||||
map[string]any{
|
||||
commandKey: "TOPIC",
|
||||
toKey: "#topicpriv",
|
||||
bodyKey: []string{"Hijacked topic"},
|
||||
},
|
||||
)
|
||||
if status != http.StatusOK {
|
||||
t.Fatalf("expected 200, got %d", status)
|
||||
}
|
||||
|
||||
msgs, _ := tserver.pollMessages(bobToken, lastID)
|
||||
|
||||
if !findNumeric(msgs, "442") {
|
||||
t.Fatalf(
|
||||
"expected ERR_NOTONCHANNEL (442), got %v",
|
||||
msgs,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPing(t *testing.T) {
|
||||
tserver := newTestServer(t)
|
||||
token := tserver.createSession("ping_user")
|
||||
|
||||
Reference in New Issue
Block a user