Add some checking of channel ID before sending websocket event (#7431)

app/channel.go

@@ -1168,7 +1168,7 @@ func (a *App) ViewChannel(view *model.ChannelView, userId string, clearPushNotif
 		return result.Err
 	}
 
-	if *utils.Cfg.ServiceSettings.EnableChannelViewedMessages && len(view.ChannelId) > 0 {
+	if *utils.Cfg.ServiceSettings.EnableChannelViewedMessages && model.IsValidId(view.ChannelId) {
 		message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_CHANNEL_VIEWED, "", "", userId, nil)
 		message.Add("channel_id", view.ChannelId)
 		go Publish(message)

model/utils.go

@@ -18,6 +18,7 @@ import (
 	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	goi18n "github.com/nicksnyder/go-i18n/i18n"
 	"github.com/pborman/uuid"
@@ -492,3 +493,17 @@ func IsValidNumberString(value string) bool {
 
 	return true
 }
+
+func IsValidId(value string) bool {
+	if len(value) != 26 {
+		return false
+	}
+
+	for _, r := range value {
+		if !unicode.IsLetter(r) && !unicode.IsNumber(r) {
+			return false
+		}
+	}
+
+	return true
+}

model/utils_test.go

@@ -331,3 +331,38 @@ func TestIsValidAlphaNumHyphenUnderscore(t *testing.T) {
 		}
 	}
 }
+
+func TestIsValidId(t *testing.T) {
+	cases := []struct {
+		Input  string
+		Result bool
+	}{
+		{
+			Input:  NewId(),
+			Result: true,
+		},
+		{
+			Input:  "",
+			Result: false,
+		},
+		{
+			Input:  "junk",
+			Result: false,
+		},
+		{
+			Input:  "qwertyuiop1234567890asdfg{",
+			Result: false,
+		},
+		{
+			Input:  NewId() + "}",
+			Result: false,
+		},
+	}
+
+	for _, tc := range cases {
+		actual := IsValidId(tc.Input)
+		if actual != tc.Result {
+			t.Fatalf("case: %v\tshould returned: %#v", tc, tc.Result)
+		}
+	}
+}