Message ID Enumeration with Action Link Handler

## Summary The `actionLinkHandler` method was found to allow Message ID Enumeration with Regex MongoDB queries. ## Releases Affected: The Meteor method [actionLinkHandler](https://github.com/RocketChat/Rocket.Chat/blob/f1ce17dd71060a6faecde14e73f047aaad72afd0/app/action-links/server/actionLinkHandler.js#L12) calls an actionLinks wrapper `getMessage` to find affected messages: ```javascript Meteor.methods({ actionLinkHandler(name, messageId) { if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'actionLinkHandler' }); } const message = actionLinks.getMessage(name, messageId); const actionLink = message.actionLinks[name]; actionLinks.actions[actionLink.method_id](message, actionLink.params); }, }); ``` The [actionLinks.getMessage](https://github.com/RocketChat/Rocket.Chat/blob/develop/app/action-links/server/lib/actionLinks.js#L17) method does not validate the input data, so that a `{ $regex: ".*" }` pattern can be used to enumerate for the existence of Messages with MongoDB Injection. ```javascript getMessage(name, messageId) { const userId = Meteor.userId(); if (!userId) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { function: 'actionLinks.getMessage' }); } const message = Messages.findOne({ _id: messageId }); if (!message) { throw new Meteor.Error('error-invalid-message', 'Invalid message', { function: 'actionLinks.getMessage' }); } // ... } ``` Whenever a Message ID does not match any existing message, the server will respond with `invalid-message` error. When it does exist, a different response (or error) is returned, so that the guess can be evaluated. ```javascript Meteor.call( "actionLinkHandler", "joinJitsiCall", { $regex: ".*" }, console.log ); ``` Although only Message IDs (and not their content) can be enumerated, mitigating this issue becomes relevant to prevent adversaries from stacking it with other information disclosure vulnerabilities that would leak a message content for known Message IDs. ## Steps To Reproduce (from initial installation to vulnerability): 1. Login to Rocket.Chat 2. Query actionLinkHelper to check if a message matches 3. Extend static part of the regex 4. Repeat step 2 ## Suggested mitigation * Check `messageId` for String type ## Impact Authenticated adversaries can enumerate the server for existing Message IDs. ## Fix Fixed in 4.7.5, 4.8.2 and 5.0>