Merge pull request #734 from MaddyUnderStars/fix/sanitisation

Fix users arbitrarily editing their own User object, and disallow sending messages to certain channels ( eg categories )

api/scripts/generate_schema.js

@@ -31,7 +31,6 @@ const Excluded = [
 ];
 
 function modify(obj) {
-	delete obj.additionalProperties;
 	for (var k in obj) {
 		if (typeof obj[k] === "object" && obj[k] !== null) {
 			modify(obj[k]);

api/src/routes/channels/#channel_id/messages/index.ts

@@ -183,6 +183,9 @@ router.post(
 			}
 		}
 		const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
+		if (!channel.isWritable()) {
+			throw new HTTPError(`Cannot send messages to channel of type ${channel.type}`, 400)
+		}
 
 		const embeds = body.embeds || [];
 		if (body.embed) embeds.push(body.embed);
@@ -221,6 +224,8 @@ router.post(
 			);
 		}
 
+
+	
 		//Fix for the client bug
 		delete message.member
 		

api/src/routes/users/@me/index.ts

@@ -46,8 +46,6 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 		}
 	}
 
-	user.assign(body);
-
 	if (body.new_password) {
 		if (!body.password && !user.email) {
 			throw FieldErrors({
@@ -66,6 +64,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
         }
     }
 
+	user.assign(body);
 	await user.save();
 
 	// @ts-ignore

util/src/entities/Channel.ts

@@ -352,6 +352,17 @@ export class Channel extends BaseClass {
 	isDm() {
 		return this.type === ChannelType.DM || this.type === ChannelType.GROUP_DM;
 	}
+
+	// Does the channel support sending messages ( eg categories do not )
+	isWritable() {
+		const disallowedChannelTypes = [
+			ChannelType.GUILD_CATEGORY,
+			ChannelType.GUILD_VOICE,		// TODO: Remove this when clients can send messages to voice channels on discord.com
+			ChannelType.GUILD_STAGE_VOICE,
+			ChannelType.VOICELESS_WHITEBOARD,
+		];
+		return disallowedChannelTypes.indexOf(this.type) == -1;
+	}
 }
 
 export interface ChannelPermissionOverwrite {