Merge pull request #109 from calcom/fix/webhook-eventtype-assoc-security

Webhook event type association security
pull/9078/head
Syed Ali Shahbaz 2022-06-08 13:14:53 +05:30 committed by GitHub
commit cabafbdd77
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 42 additions and 0 deletions

View File

@ -95,6 +95,27 @@ export async function WebhookById(
return; return;
} }
} }
if (safeBody.data.eventTypeId) {
const team = await ctx.prisma.team.findFirst({
where: {
eventTypes: {
some: {
id: safeBody.data.eventTypeId,
},
},
},
include: {
members: true,
},
});
// Team should be available and the user should be a member of the team
if (!team?.members.some((membership) => membership.userId === userId)) {
throw new TRPCError({
code: "UNAUTHORIZED",
});
}
}
await prisma.webhook await prisma.webhook
.update({ where: { id: safeQuery.data.id }, data: safeBody.data }) .update({ where: { id: safeQuery.data.id }, data: safeBody.data })
.then((data) => schemaWebhookReadPublic.parse(data)) .then((data) => schemaWebhookReadPublic.parse(data))

View File

@ -61,6 +61,27 @@ async function createOrlistAllWebhooks(
res.status(400).json({ message: "Invalid request body" }); res.status(400).json({ message: "Invalid request body" });
return; return;
} }
if (safe.data.eventTypeId) {
const team = await ctx.prisma.team.findFirst({
where: {
eventTypes: {
some: {
id: safe.data.eventTypeId,
},
},
},
include: {
members: true,
},
});
// Team should be available and the user should be a member of the team
if (!team?.members.some((membership) => membership.userId === userId)) {
throw new TRPCError({
code: "UNAUTHORIZED",
});
}
}
const data = await prisma.webhook.create({ data: { id: uuidv4(), ...safe.data, userId } }); const data = await prisma.webhook.create({ data: { id: uuidv4(), ...safe.data, userId } });
if (data) res.status(201).json({ webhook: data, message: "Webhook created successfully" }); if (data) res.status(201).json({ webhook: data, message: "Webhook created successfully" });
else else