From c7f6c5c6b447171d932181f1cdb60364dbfb0216 Mon Sep 17 00:00:00 2001 From: Luna Mendes Date: Wed, 21 Nov 2018 21:09:19 -0300 Subject: [PATCH] gateway.websocket: add READ_MESSAGES check on OP 14 handler this should make sure to not leak information through shard queries. --- litecord/gateway/websocket.py | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/litecord/gateway/websocket.py b/litecord/gateway/websocket.py index 0b69bd5..cb95714 100644 --- a/litecord/gateway/websocket.py +++ b/litecord/gateway/websocket.py @@ -6,21 +6,25 @@ import json from typing import List, Dict, Any from random import randint -import earl import websockets from logbook import Logger +import earl -from litecord.errors import WebsocketClose, Unauthorized, Forbidden, BadRequest from litecord.auth import raw_token_check from litecord.enums import RelationshipType from litecord.schemas import validate, GW_STATUS_UPDATE from litecord.utils import task_wrapper +from litecord.permissions import get_permissions -from .errors import DecodeError, UnknownOPCode, \ - InvalidShard, ShardingRequired -from .opcodes import OP -from .state import GatewayState +from litecord.gateway.opcodes import OP +from litecord.gateway.state import GatewayState +from litecord.errors import ( + WebsocketClose, Unauthorized, Forbidden, BadRequest +) +from .errors import ( + DecodeError, UnknownOPCode, InvalidShard, ShardingRequired +) log = Logger(__name__) WebsocketProperties = collections.namedtuple( @@ -788,7 +792,12 @@ class GatewayWebsocket: chan_id = int(chan_id) member_list = await lazy_guilds.get_gml(chan_id) - # TODO: check read_messages permission + perms = await get_permissions( + self.state.user_id, chan_id, self.storage) + + if not perms.read_messages: + # ignore requests to unknown channels + return await member_list.shard_query( self.state.session_id, ranges