Headline
CVE-2023-22737: [SQSERVICES-1801] Prevent dead bots in database (#2870) · wireapp/wire-server@494a688
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
@@ -148,6 +148,7 @@ tests dom conf p db b c g = do testGroup “bot-teams” [ test p “add-remove” $ testAddRemoveBotTeam conf db b g c, test p “add-remove-access-denied-for-non-conv-admin” $ testNonConvAdminCannotAddRemoveBot conf db b g, test p “team-only” $ testBotTeamOnlyConv conf db b g c, test p “message” $ testMessageBotTeam conf db b g c, test p “delete conv” $ testDeleteConvBotTeam conf db b g c, @@ -566,6 +567,30 @@ testAddBotBlocked config db brig galley = withTestService config db brig defServ const 403 === statusCode const (Just “access-denied”) === fmap Error.label . responseJsonMaybe
testNonConvAdminCannotAddRemoveBot :: Config -> DB.ClientState -> Brig -> Galley -> Http () testNonConvAdminCannotAddRemoveBot config db brig galley = withTestService config db brig defServiceApp $ \sref _buf -> do let pid = sref ^. serviceRefProvider let sid = sref ^. serviceRefId (ownerId, tid) <- Team.createUserWithTeam brig member <- Team.createTeamMember brig galley ownerId tid fullPermissions let memberId = userId member whitelistService brig ownerId tid pid sid cid <- Team.createTeamConvWithRole roleNameWireMember galley tid ownerId [memberId] Nothing addBot brig memberId pid sid cid !!! do const 403 === statusCode const (Just “access-denied”) === fmap Error.label . responseJsonMaybe rs <- responseJsonError =<< addBot brig ownerId pid sid cid <!! const 201 === statusCode let bid = rsAddBotId rs buid = botUserId bid getUser brig ownerId buid !!! const 200 === statusCode removeBot brig memberId cid bid !!! do const 403 === statusCode const (Just “access-denied”) === fmap Error.label . responseJsonMaybe – also check the internal galley API removeBotInternal galley memberId cid bid !!! do const 403 === statusCode const (Just “action-denied”) === fmap Error.label . responseJsonMaybe
testGetBotConvBlocked :: Config -> DB.ClientState -> Brig -> Galley -> Cannon -> Http () testGetBotConvBlocked config db brig galley cannon = withTestService config db brig defServiceApp $ \sref buf -> do (user1, userId -> u2, _, tid, cid, pid, sid) <- prepareBotUsersTeam brig galley sref @@ -1305,6 +1330,31 @@ removeBot brig uid cid bid = . header “Z-User” (toByteString’ uid) . header “Z-Connection” “conn”
data RemoveBot = RemoveBot { _rmBotConv :: !ConvId, _rmBotId :: !BotId }
instance ToJSON RemoveBot where toJSON a = object [ “conversation” .= _rmBotConv a, “bot” .= _rmBotId a ]
removeBotInternal :: Galley -> UserId -> ConvId -> BotId -> Http ResponseLBS removeBotInternal galley uid cid bid = delete $ galley . paths ["i", “bots”] . header “Z-User” (toByteString’ uid) . Bilge.json (RemoveBot cid bid)
createConv :: Galley -> UserId ->