NoSQL-Injection discloses S3 File Upload URLs

## Summary A NoSQL-Injection vulnerability in the `getS3FileUrl` Meteor server method can disclose arbitrary file upload URLs to users that should not be able to access. ## Description The `fileId` argument of the `getS3FileUrl` Meteor server method is not validated and can contain a regular expression. The File Upload lookup result in [app/file-upload/server/methods/getS3FileUrl.js#L18](https://github.com/RocketChat/Rocket.Chat/blob/46c7b7e89fc569bf7acf408dd260f188996fb33a/app/file-upload/server/methods/getS3FileUrl.js#L18) is returned to the requesting user, regardless of the users ability to access the file. ```javascript Meteor.methods({ async getS3FileUrl(fileId) { if (protectedFiles && !Meteor.userId()) { throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'sendFileMessage' }); } const file = await Uploads.findOneById(fileId); return UploadFS.getStore('AmazonS3:Uploads').getRedirectURL(file); }, }); ``` The S3 storage URL is secret because no further access checks occur so that disclosure of the URL also discloses the file contents. ## Releases Affected: * 3.18.3 * 4.3.0 * develop * 0.53.0 ## Steps To Reproduce (from initial installation to vulnerability): 1. Login to Rocket.Chat instance with S3 storage enabled 2. Run PoC to access the first file matching the Regular Expression pattern ## Supporting Material/References: ### Proof of Concept ```javascript const pattern = ".*"; Meteor.call( "getS3FileUrl", { $regex: $pattern }, (err, url) => { window.location.href=url } ); ``` ## Suggested mitigation * Check access to a files room * Require fileId to be a string ## Impact Authenticated users can enumerate and access arbitrary file uploads they should not have access to. ## Fix Fixed in versions 4.7.5, 4.8.2 and 5.0>