From 5b6818a3ccb1af1d73527a30701bae81d9bfd484 Mon Sep 17 00:00:00 2001 From: Carina Wollendorfer <30310907+CarinaWolli@users.noreply.github.com> Date: Mon, 15 Aug 2022 18:32:11 -0400 Subject: [PATCH 01/10] fixes issue with variables not working (#3859) Co-authored-by: CarinaWolli --- .../components/AddVariablesDropdown.tsx | 16 ++++++++-------- .../lib/reminders/templates/customTemplate.ts | 1 - 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/packages/features/ee/workflows/components/AddVariablesDropdown.tsx b/packages/features/ee/workflows/components/AddVariablesDropdown.tsx index cf41cf714c..0866becfe9 100644 --- a/packages/features/ee/workflows/components/AddVariablesDropdown.tsx +++ b/packages/features/ee/workflows/components/AddVariablesDropdown.tsx @@ -9,13 +9,13 @@ interface IAddVariablesDropdown { } const variables = [ - "event_name_workflow", - "organizer_name_workflow", - "attendee_name_workflow", - "event_date_workflow", - "event_time_workflow", - "location_workflow", - "additional_notes_workflow", + "event_name", + "organizer_name", + "attendee_name", + "event_date", + "event_time", + "location", + "additional_notes", ]; export const AddVariablesDropdown = (props: IAddVariablesDropdown) => { @@ -39,7 +39,7 @@ export const AddVariablesDropdown = (props: IAddVariablesDropdown) => { type="button" className="px-5 py-1" onClick={() => props.addVariable(props.isEmailSubject, variable)}> - {t(variable)} + {t(`${variable}_workflow`)} ))} diff --git a/packages/features/ee/workflows/lib/reminders/templates/customTemplate.ts b/packages/features/ee/workflows/lib/reminders/templates/customTemplate.ts index c59c991b3b..8a73466d74 100644 --- a/packages/features/ee/workflows/lib/reminders/templates/customTemplate.ts +++ b/packages/features/ee/workflows/lib/reminders/templates/customTemplate.ts @@ -81,7 +81,6 @@ const customTemplate = async (text: string, variables: VariablesType, locale: st } }); } - dynamicText = dynamicText.replace(`{${variable}}`, ""); }); const textHtml = `${dynamicText}`; From cf9116b5bb59f7c8332df2e05b51c6e3f45afbd6 Mon Sep 17 00:00:00 2001 From: Hariom Balhara Date: Tue, 16 Aug 2022 22:45:13 +0530 Subject: [PATCH 02/10] Avoid DDOS (#3871) --- apps/web/middleware.ts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index fb9815d3e2..2d4565c473 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -9,6 +9,13 @@ const V2_WHITELIST = ["/settings/admin"]; const middleware: NextMiddleware = async (req) => { const url = req.nextUrl; + if (url.pathname === "/api/auth/session") { + const callbackUrl = url.searchParams.get("callbackUrl"); + if (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://")) { + // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback + return new NextResponse(); + } + } /** Display available V2 pages to users who opted-in to early access */ if (req.cookies.has("calcom-v2-early-access") && V2_WHITELIST.some((p) => url.pathname.startsWith(p))) { // rewrite to the current subdomain under the pages/sites folder From 6dcb0c43ab8b15a800f8661a8986c9eb989f3459 Mon Sep 17 00:00:00 2001 From: zomars Date: Tue, 16 Aug 2022 13:50:09 -0600 Subject: [PATCH 03/10] DDOS mitigation updates --- apps/web/middleware.ts | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index 2d4565c473..084a1bdae0 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -1,6 +1,6 @@ import { collectEvents } from "next-collect/server"; // eslint-disable-next-line @next/next/no-server-import-in-page -import { NextMiddleware, NextResponse } from "next/server"; +import { NextMiddleware, NextResponse, userAgent } from "next/server"; import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry"; @@ -9,11 +9,13 @@ const V2_WHITELIST = ["/settings/admin"]; const middleware: NextMiddleware = async (req) => { const url = req.nextUrl; - if (url.pathname === "/api/auth/session") { + if (url.pathname.startsWith("/api/auth")) { const callbackUrl = url.searchParams.get("callbackUrl"); - if (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://")) { + const { isBot } = userAgent(req); + if (isBot || (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://"))) { // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback - return new NextResponse(); + const res = new NextResponse("hey", { status: 400, statusText: "Please don't" }); + return res; } } /** Display available V2 pages to users who opted-in to early access */ From 4f76654813be5639da20cb0ccab007dacf082061 Mon Sep 17 00:00:00 2001 From: zomars Date: Tue, 16 Aug 2022 13:55:50 -0600 Subject: [PATCH 04/10] Whitelist only cal domain as callbackUrls --- apps/web/middleware.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index 084a1bdae0..796be0cedc 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -2,6 +2,7 @@ import { collectEvents } from "next-collect/server"; // eslint-disable-next-line @next/next/no-server-import-in-page import { NextMiddleware, NextResponse, userAgent } from "next/server"; +import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants"; import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry"; const V2_WHITELIST = ["/settings/admin"]; @@ -12,7 +13,11 @@ const middleware: NextMiddleware = async (req) => { if (url.pathname.startsWith("/api/auth")) { const callbackUrl = url.searchParams.get("callbackUrl"); const { isBot } = userAgent(req); - if (isBot || (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://"))) { + + if ( + isBot || + (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) + ) { // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback const res = new NextResponse("hey", { status: 400, statusText: "Please don't" }); return res; From 79d37676fcf51735e9bf96a974bfd6620b2beadd Mon Sep 17 00:00:00 2001 From: zomars Date: Tue, 16 Aug 2022 13:59:38 -0600 Subject: [PATCH 05/10] Middleware rewrite shenanigans --- apps/web/middleware.ts | 4 ++-- apps/web/pages/api/nope.ts | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 apps/web/pages/api/nope.ts diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index 796be0cedc..3a1aa8498a 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -19,8 +19,8 @@ const middleware: NextMiddleware = async (req) => { (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u))) ) { // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback - const res = new NextResponse("hey", { status: 400, statusText: "Please don't" }); - return res; + req.nextUrl.pathname = "/api/nope"; + return NextResponse.redirect(req.nextUrl); } } /** Display available V2 pages to users who opted-in to early access */ diff --git a/apps/web/pages/api/nope.ts b/apps/web/pages/api/nope.ts new file mode 100644 index 0000000000..ac5b83dfce --- /dev/null +++ b/apps/web/pages/api/nope.ts @@ -0,0 +1,9 @@ +import type { NextApiRequest, NextApiResponse } from "next"; + +type Response = { + message: string; +}; + +export default async function handler(req: NextApiRequest, res: NextApiResponse): Promise { + return res.status(400).json({ message: "Please don't" }); +} From 1e5cb0bbd00287d14140167fdd2ddc3a16c4bf42 Mon Sep 17 00:00:00 2001 From: Alex van Andel Date: Tue, 16 Aug 2022 23:01:38 +0100 Subject: [PATCH 06/10] Attempt at redirect to 404 (#3877) * Attempt at redirect to 404 404 should be able to handle the traffic no problem - better ideas welcome. Just a temp fix I imagine; we're not going to want to keep this nor can we expect the User-Agent to continue identifying the traffic source. * Update next.config.js Co-authored-by: zomars --- apps/web/next.config.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/apps/web/next.config.js b/apps/web/next.config.js index 330cdf0700..7f273e055f 100644 --- a/apps/web/next.config.js +++ b/apps/web/next.config.js @@ -136,6 +136,19 @@ const nextConfig = { destination: "/video/:path*", permanent: false, }, + /* Attempt to mitigate DDoS attack */ + { + source: "/api/auth/:path*", + has: [ + { + type: "header", + key: "User-Agent", + value: "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)", + }, + ], + destination: "/404", + permanent: false, + }, ]; if (process.env.NEXT_PUBLIC_WEBAPP_URL === "https://app.cal.com") { From 7e0dbee2ca84f0d1635b54c3366faeaa6c1aabd0 Mon Sep 17 00:00:00 2001 From: zomars Date: Tue, 16 Aug 2022 16:28:19 -0600 Subject: [PATCH 07/10] DDoS rewrite fixes --- apps/web/next.config.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/web/next.config.js b/apps/web/next.config.js index 7f273e055f..bb1b38a732 100644 --- a/apps/web/next.config.js +++ b/apps/web/next.config.js @@ -141,9 +141,10 @@ const nextConfig = { source: "/api/auth/:path*", has: [ { - type: "header", - key: "User-Agent", - value: "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)", + type: "query", + key: "callbackUrl", + // prettier-ignore + value: "^(?!https?:\/\/).*$", }, ], destination: "/404", From 73e38384e23e8bb685ded6d1b0e3068671baebce Mon Sep 17 00:00:00 2001 From: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com> Date: Wed, 17 Aug 2022 03:37:44 +0530 Subject: [PATCH 08/10] hotfix dynamic issue (#3864) --- apps/web/pages/api/book/event.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/pages/api/book/event.ts b/apps/web/pages/api/book/event.ts index 63e5a5428f..627b579c50 100644 --- a/apps/web/pages/api/book/event.ts +++ b/apps/web/pages/api/book/event.ts @@ -291,7 +291,7 @@ async function handler(req: NextApiRequest) { }) : eventType.users; const isDynamicAllowed = !users.some((user) => !user.allowDynamicBooking); - if (!isDynamicAllowed) { + if (!isDynamicAllowed && !eventTypeId) { throw new HttpError({ message: "Some of the users in this group do not allow dynamic booking", statusCode: 400, From a331d02668d121172fdf22841bf1246ca60d2b8c Mon Sep 17 00:00:00 2001 From: Alex van Andel Date: Wed, 17 Aug 2022 00:38:26 +0100 Subject: [PATCH 09/10] Hotfix/dos mitigation attempt error configuration (#3879) * Fixes 'Task timed out after 60.03 seconds' * DDoS rewrite fixes Co-authored-by: zomars --- apps/web/pages/auth/error.tsx | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/apps/web/pages/auth/error.tsx b/apps/web/pages/auth/error.tsx index df6aa2f528..bfb363e919 100644 --- a/apps/web/pages/auth/error.tsx +++ b/apps/web/pages/auth/error.tsx @@ -1,15 +1,14 @@ -import { GetServerSidePropsContext } from "next"; +import { GetStaticPropsContext } from "next"; import Link from "next/link"; import { useRouter } from "next/router"; +import { useLocale } from "@calcom/lib/hooks/useLocale"; import Button from "@calcom/ui/Button"; import { Icon } from "@calcom/ui/Icon"; -import { useLocale } from "@lib/hooks/useLocale"; - import AuthContainer from "@components/ui/AuthContainer"; -import { ssrInit } from "@server/lib/ssr"; +import { ssgInit } from "@server/lib/ssg"; export default function Error() { const { t } = useLocale(); @@ -40,12 +39,12 @@ export default function Error() { ); } -export async function getServerSideProps(context: GetServerSidePropsContext) { - const ssr = await ssrInit(context); +export const getStaticProps = async (context: GetStaticPropsContext) => { + const ssr = await ssgInit(context); return { props: { trpcState: ssr.dehydrate(), }, }; -} +}; From 025019f789060f89729c165607dbadf0562b3f5e Mon Sep 17 00:00:00 2001 From: Peer Richelsen Date: Wed, 17 Aug 2022 20:32:46 +0200 Subject: [PATCH 10/10] Update [uid].tsx (#3888) --- apps/web/pages/video/[uid].tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/pages/video/[uid].tsx b/apps/web/pages/video/[uid].tsx index 5075088728..e88b20be7f 100644 --- a/apps/web/pages/video/[uid].tsx +++ b/apps/web/pages/video/[uid].tsx @@ -69,7 +69,7 @@ export default function JoinCall(props: JoinCallPageProps) { // eslint-disable-next-line @next/next/no-img-element