Move microsoft team to new format. #20667
Conversation
|
This change is part of the following stack: Change managed by git-spice. |
|
The latest updates on your projects. Learn more about Vercel for GitHub. 2 Skipped Deployments
|
![dust-agent[bot]](https://avatars.githubusercontent.com/in/1117438?s=60&v=4){kind=small}
![zeropath-ai[bot]](https://avatars.githubusercontent.com/in/921241?s=60&v=4){kind=small}
|
|
||
| // Add filter if nameFilter is specified | ||
| if (nameFilter) { | ||
| apiCall = apiCall.filter(`startswith(displayName,'${nameFilter}')`); |
There was a problem hiding this comment.
OData Injection in list_channels Microsoft Teams Action (Severity: MEDIUM)
Sensitive information disclosure may occur due to OData filter injection in the list_channels Microsoft Teams action. The unescaped user-controlled nameFilter parameter is directly interpolated into the OData filter string within front/lib/api/actions/servers/microsoft_teams/tools/index.ts at line 143, which causes the application to execute unintended OData query logic.
View details in ZeroPath
| apiCall = apiCall.filter(`startswith(displayName,'${nameFilter}')`); | |
| apiCall = apiCall.filter(`startswith(displayName,'${nameFilter.replace(/'/g, "''")}')`); |
| `startswith(displayName,'${nameFilter}') or startswith(userPrincipalName,'${nameFilter}')` | ||
| ); |
There was a problem hiding this comment.
OData Injection in list_users function (Severity: MEDIUM)
OData filter injection in list_users: unescaped user-controlled nameFilter is interpolated directly into the OData filter string, which can lead to unauthorized data access or manipulation. This occurs within the Microsoft Teams API actions in front/lib/api/actions/servers/microsoft_teams/tools/index.ts on lines 109-110.
View details in ZeroPath
Suggested fix
Unable to apply as inline suggestion. Download .diff and apply from repo root with git apply 42d490db.diff
diff --git a/front/lib/api/actions/servers/microsoft_teams/tools/index.ts b/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
--- a/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
+++ b/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
@@ -105,8 +105,9 @@
// Add filter if nameFilter is specified
if (nameFilter) {
+ const sanitizedFilter = nameFilter.replace(/'/g, "''");
apiCall = apiCall.filter(
- `startswith(displayName,'${nameFilter}') or startswith(userPrincipalName,'${nameFilter}')`
+ `startswith(displayName,'${sanitizedFilter}') or startswith(userPrincipalName,'${sanitizedFilter}')`
);
}
| { | ||
| entityTypes: ["chatMessage"], | ||
| query: { | ||
| queryString: query, |
There was a problem hiding this comment.
Graph API Search Query Injection in Microsoft Teams (Severity: MEDIUM)
User-controlled input in the query parameter can be injected into the Microsoft Teams Graph API search request, potentially leading to unauthorized data access or disclosure. This occurs because the query value from the user is directly inserted into the search request body within the front/lib/api/actions/servers/microsoft_teams/tools/index.ts file, which causes the application to execute unintended search operations.
View details in ZeroPath
Automatic patch generation was not possible for this finding.
|
|
||
| // Apply filter if any conditions exist | ||
| if (filterConditions.length > 0) { | ||
| apiCall = apiCall.filter(filterConditions.join(" and ")); |
There was a problem hiding this comment.
OData Injection in list_chats (nameFilter) (Severity: MEDIUM)
Sensitive data exposure can occur if an attacker injects malicious OData filter syntax into the nameFilter parameter. In front/lib/api/actions/servers/microsoft_teams/tools/index.ts on line 191, the unescaped nameFilter is directly incorporated into an OData filter string. This can lead to unauthorized access to chat data by bypassing intended filters.
View details in ZeroPath
Suggested fix
Unable to apply as inline suggestion. Download .diff and apply from repo root with git apply 8284ddee.diff
diff --git a/front/lib/api/actions/servers/microsoft_teams/tools/index.ts b/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
--- a/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
+++ b/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
@@ -183,7 +183,7 @@
filterConditions.push(`chatType eq '${chatType}'`);
}
if (nameFilter) {
- filterConditions.push(`startswith(topic,'${nameFilter}')`);
+ filterConditions.push(`startswith(topic,'${nameFilter.replace(/'/g, "''")}')`);
}
// Apply filter if any conditions exist
| endpoint = endpoint || `/chats/${finalChatId}/messages`; | ||
| } else { |
There was a problem hiding this comment.
Path Injection in Microsoft Teams API POST /chats/{chatId}/messages (Severity: MEDIUM)
Sensitive data exposure and unauthorized access are possible because the chatId parameter is unvalidated before being interpolated into the Graph API request path. This could allow an attacker to manipulate the endpoint, potentially accessing or modifying unintended chat messages.
View details in ZeroPath
| endpoint = endpoint || `/chats/${finalChatId}/messages`; | |
| } else { | |
| endpoint = endpoint || `/chats/${encodeURIComponent(finalChatId)}/messages`; | |
| } else { |
| } else { | ||
| // New message in a channel | ||
| endpoint = `/teams/${teamId}/channels/${channelId}/messages`; | ||
| } |
There was a problem hiding this comment.
Path Injection in Microsoft Teams API (Severity: MEDIUM)
Sensitive information disclosure or denial of service is possible because unvalidated teamId, channelId, and parentMessageId are directly interpolated into the Graph API request path in front/lib/api/actions/servers/microsoft_teams/tools/index.ts. This can lead to attackers manipulating the endpoint to access unintended resources or disrupt service.
View details in ZeroPath
Suggested fix
Unable to apply as inline suggestion. Download .diff and apply from repo root with git apply 10feb291.diff
diff --git a/front/lib/api/actions/servers/microsoft_teams/tools/index.ts b/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
--- a/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
+++ b/front/lib/api/actions/servers/microsoft_teams/tools/index.ts
@@ -313,10 +313,10 @@
}
if (parentMessageId) {
// Reply to a thread in a channel
- endpoint = `/teams/${teamId}/channels/${channelId}/messages/${parentMessageId}/replies`;
+ endpoint = `/teams/${encodeURIComponent(teamId)}/channels/${encodeURIComponent(channelId)}/messages/${encodeURIComponent(parentMessageId)}/replies`;
} else {
// New message in a channel
- endpoint = `/teams/${teamId}/channels/${channelId}/messages`;
+ endpoint = `/teams/${encodeURIComponent(teamId)}/channels/${encodeURIComponent(channelId)}/messages`;
}
} else if (targetType === "chat") {
const meResponse = await client.api("/me").select("id").get();
Fraggle
force-pushed
the
sflory/move-microsoft-team-to-new
branch
2 times, most recently
from
4083bb5 to
cf02b79
Compare
Fraggle
force-pushed
the
sflory/move-microsoft-team-to-new
branch
from
cf02b79 to
5be94d2
Compare
Description
Move microsoft team to new format.
Tests
Local + diff
Risk
Low
Deploy Plan
Deploy front