public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #109 from calcom/fix/webhook-eventtype-assoc-security 

Webhook event type association security
pull/9078/head
Syed Ali Shahbaz 2022-06-08 13:14:53 +05:30 committed by GitHub
parent 1180f3f258 bae84f2ce4
commit cabafbdd77
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pages/api/hooks/[id].ts
View File

@ -95,6 +95,27 @@ export async function WebhookById(
return;
}
}
if (safeBody.data.eventTypeId) {
const team = await ctx.prisma.team.findFirst({
where: {
eventTypes: {
some: {
id: safeBody.data.eventTypeId,
},
},
},
include: {
members: true,
},
});
// Team should be available and the user should be a member of the team
if (!team?.members.some((membership) => membership.userId === userId)) {
throw new TRPCError({
code: "UNAUTHORIZED",
});
}
}
await prisma.webhook
.update({ where: { id: safeQuery.data.id }, data: safeBody.data })
.then((data) => schemaWebhookReadPublic.parse(data))

21
pages/api/hooks/index.ts
View File

@ -61,6 +61,27 @@ async function createOrlistAllWebhooks(
res.status(400).json({ message: "Invalid request body" });
return;
}
if (safe.data.eventTypeId) {
const team = await ctx.prisma.team.findFirst({
where: {
eventTypes: {
some: {
id: safe.data.eventTypeId,
},
},
},
include: {
members: true,
},
});
// Team should be available and the user should be a member of the team
if (!team?.members.some((membership) => membership.userId === userId)) {
throw new TRPCError({
code: "UNAUTHORIZED",
});
}
}
const data = await prisma.webhook.create({ data: { id: uuidv4(), ...safe.data, userId } });
if (data) res.status(201).json({ webhook: data, message: "Webhook created successfully" });
else