Message ID Enumeration with Regular Expression in getReadReceipts Meteor method

## Summary The `getReadReceipts` Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing `$regex` queries to enumerate arbitrary Message IDs. ## Description Authenticated users are able to query the `getReadReceipts` Meteor server method to enumerate existing Message IDs: ```javascript Meteor.call("getReadReceipts", { messageId: { $regex: ".*" } }, (...args) => console.log(...args)); ``` When guessing individual characters of a message in the $regex MongoDB query of the messageId parameter, the server will respond with an error in case a message does not exist and return an (empty) list in case it does. ## Releases Affected: * 3.18.2 * 4.0.3 ## Steps To Reproduce (from initial installation to vulnerability): (Add details for how we can reproduce the issue) 1. Login to Rocket.Chat as any authenticated user 2. Query `getReadReceipts` with $regex 3. Repeat step 2 until the full Message ID was found ## Supporting Material/References: * [imports/message-read-receipt/server/api/methods/getReadReceipts.js](https://github.com/radicallyopensecurity/Rocket.Chat/blob/de7676ab92000e17ea1a829486ec3388ca8869ad/imports/message-read-receipt/server/api/methods/getReadReceipts.js) ## Suggested mitigation * Filter messageId parameter of the Meteor method ## Impact An Adversary can enumerate existing Message IDs on the server with Regular Expression pattern matching. ## Fix Fixed in versions 4.7.5, 4.8.2 and 5.0.0