Multiple security fixes (#6222)

* Security fix 1

* security fix 2

* Fix 3

* Fix 4

* Fix 5

* Fix 6

* Fix 7

* Fix 8

* Fix 9

* Rubo

Author: farhatahmad

app/controllers/api/v1/admin/invitations_controller.rb

@@ -62,8 +62,9 @@ def create
         end
 
         def destroy
-          invitation = Invitation.find(params[:id])
-          if invitation.destroy
+          invitation = Invitation.find_by(id: params[:id], provider: current_provider)
+
+          if invitation&.destroy
             render_data status: :ok
           else
             render_error status: :not_found

app/controllers/api/v1/admin/role_permissions_controller.rb

@@ -27,9 +27,9 @@ class RolePermissionsController < ApiController
         # GET /api/v1/admin/role_permissions
         # Returns a hash of all Role Permissions
         def index
-          roles_permissions = RolePermission.joins(:permission)
-                                            .where(role_id: params[:role_id])
-                                            .pluck(:name, :value)
+          roles_permissions = RolePermission.joins(:permission, :role)
+                                            .where(role_id: params[:role_id], roles: { provider: current_provider })
+                                            .pluck('permissions.name', 'role_permissions.value')
                                             .to_h
 
           render_data data: roles_permissions, status: :ok
@@ -38,7 +38,8 @@ def index
         # POST /api/v1/admin/role_permissions
         # Updates the permission for the specified role
         def update
-          role_permission = RolePermission.joins(:permission).find_by(role_id: role_params[:role_id], permission: { name: role_params[:name] })
+          role_permission = RolePermission.joins(:permission, :role).find_by(role_id: role_params[:role_id], roles: { provider: current_provider },
+                                                                             permission: { name: role_params[:name] })
 
           return render_error status: :not_found unless role_permission
           return render_error status: :bad_request unless role_permission.update(value: role_params[:value].to_s)

app/controllers/api/v1/admin/roles_controller.rb

@@ -80,7 +80,7 @@ def role_params
         end
 
         def find_role
-          @role = Role.find params[:id]
+          @role = Role.with_provider(current_provider).find(params[:id])
         end
       end
     end

app/controllers/api/v1/admin/users_controller.rb

@@ -27,7 +27,7 @@ class UsersController < ApiController
         # GET /api/v1/admin/users/:id.json
         # Updates the specified user's status
         def update
-          user = User.find(params[:id])
+          user = User.with_provider(current_provider).find(params[:id])
           initial_status = user.status
 
           if user.update(user_params)

app/controllers/api/v1/meetings_controller.rb

@@ -100,7 +100,7 @@ def running
       private
 
       def find_room
-        @room = Room.find_by!(friendly_id: params[:friendly_id])
+        @room = Room.includes(:user).with_provider(current_provider).find_by!(friendly_id: params[:friendly_id])
       end
 
       def authorized_as_viewer?(viewer_code:)

app/controllers/api/v1/recordings_controller.rb

@@ -25,7 +25,10 @@ class RecordingsController < ApiController
       before_action only: %i[destroy] do
         ensure_authorized('ManageRecordings', record_id: params[:id])
       end
-      before_action only: %i[update update_visibility recording_url] do
+      before_action only: %i[update update_visibility] do
+        ensure_authorized(%w[ManageRecordings SharedRoom], record_id: params[:id])
+      end
+      before_action only: %i[recording_url] do
         ensure_authorized(%w[ManageRecordings SharedRoom PublicRecordings], record_id: params[:id])
       end
 

app/controllers/api/v1/rooms_controller.rb

@@ -156,7 +156,7 @@ def recordings_processing
       private
 
       def find_room
-        @room = Room.find_by!(friendly_id: params[:friendly_id])
+        @room = Room.includes(:user).with_provider(current_provider).find_by!(friendly_id: params[:friendly_id])
       end
 
       def room_params

app/controllers/api/v1/sessions_controller.rb

@@ -47,12 +47,6 @@ def create
         # Will return an error if the user is NOT from the current provider and if the user is NOT a super admin
         return render_error status: :forbidden if !user.super_admin? && (user.provider != current_provider || external_auth?)
 
-        # Password is not set (local user migrated from v2)
-        if user.external_id.blank? && user.password_digest.blank?
-          token = user.generate_reset_token!
-          return render_error data: token, errors: 'PasswordNotSet'
-        end
-
         if user.authenticate(session_params[:password])
           return render_error data: user.id, errors: Rails.configuration.custom_error_msgs[:unverified_user] unless user.verified?
           return render_error errors: Rails.configuration.custom_error_msgs[:pending_user] if user.pending?

config/environments/production.rb

@@ -174,10 +174,5 @@
   config.active_record.attributes_for_inspect = [:id]
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  # config.hosts = [
-  #   "example.com",     # Allow requests from example.com
-  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  # ]
-  # Skip DNS rebinding protection for the default health check endpoint.
-  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+  config.hosts << ENV.fetch('URL_HOST') if ENV['URL_HOST'].present?
 end

spec/controllers/admin/invitations_controller_spec.rb

@@ -117,5 +117,12 @@
       expect { delete :destroy, params: { id: 'invalid-id' } }.not_to change(Invitation, :count)
       expect(response).to have_http_status(:not_found)
     end
+
+    it 'does not delete invitations from another provider' do
+      invitation = create(:invitation, provider: 'other-provider')
+
+      expect { delete :destroy, params: { id: invitation.id } }.not_to change(Invitation, :count)
+      expect(response).to have_http_status(:not_found)
+    end
   end
 end