Headline
CVE-2022-1021: fix: Referer URL validation (#4309) · chatwoot/chatwoot@24b20c1
Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.
@@ -46,12 +46,14 @@ class Conversation < ApplicationRecord include AssignmentHandler include RoundRobinHandler include ActivityMessageHandler include UrlHelper
validates :account_id, presence: true validates :inbox_id, presence: true before_validation :validate_additional_attributes validates :additional_attributes, jsonb_attributes_length: true validates :custom_attributes, jsonb_attributes_length: true validate :validate_referer_url
enum status: { open: 0, resolved: 1, pending: 2, snoozed: 3 }
@@ -242,6 +244,12 @@ def mute_period 6.hours end
def validate_referer_url return unless additional_attributes[‘referer’]
self[‘additional_attributes’][‘referer’] = nil unless url_valid?(additional_attributes[‘referer’]) end
# creating db triggers trigger.before(:insert).for_each(:row) do “NEW.display_id := nextval(‘conv_dpid_seq_’ || NEW.account_id);”