Merge pull request #16527 from nextcloud/backport/16523/stable28

[stable28] fix(matterbridge): Check parameters
2025-12-18 05:20:50 +01:00 · 2025-12-11 15:06:23 +01:00 · 2025-12-11 15:06:23 +01:00 · 6e618902b9
commit 6e618902b9
parent b989de2e2f c36694ac8f
9 changed files with 32 additions and 15 deletions
--- a/.github/workflows/integration-mariadb.yml
+++ b/.github/workflows/integration-mariadb.yml
@ -55,8 +55,8 @@ jobs:
        test-suite: ['callapi', 'chat-1', 'chat-2', 'command', 'conversation-1', 'conversation-2', 'conversation-3', 'conversation-4', 'conversation-5', 'federation', 'integration', 'sharing-1', 'sharing-2', 'sharing-3', 'sharing-4']
        php-versions: ['8.2']
        server-versions: ['stable28']
-        guests-versions: ['stable28']
-        call-summary-bot-versions: ['main']
+        guests-versions: ['v3.0.1']
+        call-summary-bot-versions: ['stable30']
        notifications-versions: ['stable28']

    services:
--- a/.github/workflows/integration-mysql.yml
+++ b/.github/workflows/integration-mysql.yml
@ -55,8 +55,8 @@ jobs:
        test-suite: ['callapi', 'chat-1', 'chat-2', 'command', 'conversation-1', 'conversation-2', 'conversation-3', 'conversation-4', 'conversation-5', 'federation', 'integration', 'sharing-1', 'sharing-2', 'sharing-3', 'sharing-4']
        php-versions: ['8.2']
        server-versions: ['stable28']
-        guests-versions: ['stable28']
-        call-summary-bot-versions: ['main']
+        guests-versions: ['v3.0.1']
+        call-summary-bot-versions: ['stable30']
        notifications-versions: ['stable28']

    services:
--- a/.github/workflows/integration-oci.yml
+++ b/.github/workflows/integration-oci.yml
@ -55,8 +55,8 @@ jobs:
        test-suite: ['callapi', 'chat-1', 'chat-2', 'command', 'conversation-1', 'conversation-2', 'conversation-3', 'conversation-4', 'conversation-5', 'federation', 'integration', 'sharing-1', 'sharing-2', 'sharing-3', 'sharing-4']
        php-versions: ['8.2']
        server-versions: ['stable28']
-        guests-versions: ['stable28']
-        call-summary-bot-versions: ['main']
+        guests-versions: ['v3.0.1']
+        call-summary-bot-versions: ['stable30']
        notifications-versions: ['stable28']

    services:
--- a/.github/workflows/integration-pgsql.yml
+++ b/.github/workflows/integration-pgsql.yml
@ -52,8 +52,8 @@ jobs:
        test-suite: ['callapi', 'chat-1', 'chat-2', 'command', 'conversation-1', 'conversation-2', 'conversation-3', 'conversation-4', 'conversation-5', 'federation', 'integration', 'sharing-1', 'sharing-2', 'sharing-3', 'sharing-4']
        php-versions: ['8.3']
        server-versions: ['stable28']
-        guests-versions: ['stable28']
-        call-summary-bot-versions: ['main']
+        guests-versions: ['v3.0.1']
+        call-summary-bot-versions: ['stable30']
        notifications-versions: ['stable28']

    services:
--- a/.github/workflows/integration-sqlite.yml
+++ b/.github/workflows/integration-sqlite.yml
@ -55,8 +55,8 @@ jobs:
        test-suite: ['callapi', 'chat-1', 'chat-2', 'command', 'conversation-1', 'conversation-2', 'conversation-3', 'conversation-4', 'conversation-5', 'federation', 'integration', 'sharing-1', 'sharing-2', 'sharing-3', 'sharing-4']
        php-versions: ['8.2']
        server-versions: ['stable28']
-        guests-versions: ['stable28']
-        call-summary-bot-versions: ['main']
+        guests-versions: ['v3.0.1']
+        call-summary-bot-versions: ['stable30']
        notifications-versions: ['stable28']

    steps:
--- a/appinfo/info.xml
+++ b/appinfo/info.xml
@ -16,7 +16,7 @@ And in the works for the [coming versions](https://github.com/nextcloud/spreed/m

 	]]></description>

-	<version>18.0.14</version>
+	<version>18.0.15</version>
 	<licence>agpl</licence>

 	<author>Daniel Calviño Sánchez</author>
--- a/lib/MatterbridgeManager.php
+++ b/lib/MatterbridgeManager.php
@ -128,7 +128,7 @@ class MatterbridgeManager {
 		$newBridge = [
 			'enabled' => $enabled,
 			'pid' => $currentBridge['pid'] ?? 0,
-			'parts' => $parts,
+			'parts' => $this->validateParts($parts),
 		];

 		$this->notify($room, $userId, $currentBridge, $newBridge);
@ -351,6 +351,7 @@ class MatterbridgeManager {
 	private function generateConfig(array $bridge): string {
 		$content = '';
 		foreach ($bridge['parts'] as $k => $part) {
+			$k = (int)$k;
 			$type = $part['type'];

 			if ($type === 'nctalk') {
@ -507,6 +508,22 @@ class MatterbridgeManager {
 		return $content;
 	}

+	protected function validateParts(array $parts): array {
+		foreach ($parts as $k => $part) {
+			if (!is_numeric($k)) {
+				$this->logger->error('User tried to configure a malicious matterbridge setup');
+				throw new \InvalidArgumentException('Invalid matterbridge parameters');
+			}
+			foreach ($part as $key => $value) {
+				if (preg_match('/["\n]/', $key) || preg_match('/["\n]/', $value)) {
+					$this->logger->error('User tried to configure a malicious matterbridge setup');
+					throw new \InvalidArgumentException('Invalid matterbridge parameters');
+				}
+			}
+		}
+		return $parts;
+	}
+
 	/**
 	 * Remove the scheme from an URL and add port
 	 *
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "talk",
-  "version": "18.0.14",
+  "version": "18.0.15",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "talk",
-      "version": "18.0.14",
+      "version": "18.0.15",
      "license": "agpl",
      "dependencies": {
        "@linusborg/vue-simple-portal": "^0.1.5",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "talk",
-  "version": "18.0.14",
+  "version": "18.0.15",
  "private": true,
  "description": "",
  "author": "Joas Schilling <coding@schilljs.com>",