Headline

CVE-2022-0527: fix: Ongoing campaign URL validation (#3890) · chatwoot/chatwoot@a737f89

Cross-site Scripting (XSS) - Stored in Maven org.webjars.npm:github-com-chatwoot-chatwoot prior to 2.2.0.

3 years ago

@@ -15,7 +15,7 @@ context ‘when it is an authenticated user’ do let(:agent) { create(:user, account: account, role: :agent) } let(:administrator) { create(:user, account: account, role: :administrator) } let!(:campaign) { create(:campaign, account: account) } let!(:campaign) { create(:campaign, account: account, trigger_rules: { url: ‘https://test.com’ }) }
it ‘returns unauthorized for agents’ do get "/api/v1/accounts/#{account.id}/campaigns", @@ -38,7 +38,7 @@ end
describe ‘GET /api/v1/accounts/{account.id}/campaigns/:id’ do let(:campaign) { create(:campaign, account: account) } let(:campaign) { create(:campaign, account: account, trigger_rules: { url: ‘https://test.com’ }) }
context ‘when it is an unauthenticated user’ do it ‘returns unauthorized’ do @@ -107,6 +107,25 @@ expect(JSON.parse(response.body, symbolize_names: true)[:title]).to eq(‘test’) end
it ‘creates a new ongoing campaign’ do post "/api/v1/accounts/#{account.id}/campaigns", params: { inbox_id: inbox.id, title: 'test’, message: 'test message’, trigger_rules: { url: ‘https://test.com’ } }, headers: administrator.create_new_auth_token, as: :json
expect(response).to have_http_status(:success) expect(JSON.parse(response.body, symbolize_names: true)[:title]).to eq(‘test’) end
it ‘throws error when invalid url provided for ongoing campaign’ do post "/api/v1/accounts/#{account.id}/campaigns", params: { inbox_id: inbox.id, title: 'test’, message: 'test message’, trigger_rules: { url: ‘javascript’ } }, headers: administrator.create_new_auth_token, as: :json
expect(response).to have_http_status(:unprocessable_entity) end
it ‘creates a new oneoff campaign’ do twilio_sms = create(:channel_twilio_sms, account: account) twilio_inbox = create(:inbox, channel: twilio_sms) @@ -133,7 +152,7 @@
describe ‘PATCH /api/v1/accounts/{account.id}/campaigns/:id’ do let(:inbox) { create(:inbox, account: account) } let!(:campaign) { create(:campaign, account: account) } let!(:campaign) { create(:campaign, account: account, trigger_rules: { url: ‘https://test.com’ }) }
context ‘when it is an unauthenticated user’ do it ‘returns unauthorized’ do @@ -172,7 +191,7 @@
describe ‘DELETE /api/v1/accounts/{account.id}/campaigns/:id’ do let(:inbox) { create(:inbox, account: account) } let!(:campaign) { create(:campaign, account: account) } let!(:campaign) { create(:campaign, account: account, trigger_rules: { url: ‘https://test.com’ }) }
context ‘when it is an unauthenticated user’ do it ‘returns unauthorized’ do

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

2 years ago

2 years ago

2 years ago

2 years ago

2 years ago