Merge pull request #4659 from capilkey/2.1-message-whitelist

Add a message whitelist

bbb-apps-common/src/main/scala/org/bigbluebutton/client/meeting/AllowedMessageNames.scala

+package org.bigbluebutton.client.meeting
+
+import scala.collection.immutable.HashSet
+
+class AllowedMessageNames {
+  
+}
+
+object AllowedMessageNames {
+  val MESSAGES = HashSet(
+      // User Messages
+      "ValidateAuthTokenReqMsg", "GetUsersMeetingReqMsg","GetGuestsWaitingApprovalReqMsg","UserJoinMeetingReqMsg","UserJoinMeetingAfterReconnectReqMsg","AssignPresenterReqMsg","ChangeUserEmojiCmdMsg","CreateBreakoutRoomsCmdMsg","RequestBreakoutJoinURLReq","TransferUserToMeetingRequestMsg","EndAllBreakoutRoomsMsg","UserBroadcastCamStartMsg","UserBroadcastCamStopMsg","LogoutAndEndMeetingCmdMsg","GetRecordingStatusReqMsg","BreakoutRoomsListMsg","MeetingActivityResponseCmdMsg","SetRecordingStatusCmdMsg","MuteMeetingCmdMsg","MuteAllExceptPresentersCmdMsg","MuteUserCmdMsg","EjectUserFromVoiceCmdMsg","EjectUserFromMeetingCmdMsg","AddUserToPresenterGroupCmdMsg","RemoveUserFromPresenterGroupCmdMsg","GetPresenterGroupReqMsg","IsMeetingMutedReqMsg","LockUsersInMeetingCmdMsg","LockUserInMeetingCmdMsg","GetLockSettingsReqMsg","ChangeLockSettingsInMeetingCmdMsg","ChangeUserRoleCmdMsg","GetGuestPolicyReqMsg","SetGuestPolicyCmdMsg","GuestsWaitingApprovedMsg",
+      // Chat Messages
+      "GetGroupChatsReqMsg","GetGroupChatMsgsReqMsg","SendGroupChatMessageMsg","ClearPublicChatHistoryPubMsg","CreateGroupChatReqMsg",
+      // Presentation Messages
+      "ResizeAndMovePagePubMsg","SetCurrentPresentationPubMsg","SetCurrentPagePubMsg","GetPresentationInfoReqMsg","GetAllPresentationPodsReqMsg","RemovePresentationPubMsg","PresentationUploadTokenReqMsg","CreateNewPresentationPodPubMsg","RemovePresentationPodPubMsg","SetPresenterInPodReqMsg",
+      // Whiteboard Messages
+      "ModifyWhiteboardAccessPubMsg","GetWhiteboardAccessReqMsg","UndoWhiteboardPubMsg","ClearWhiteboardPubMsg","GetWhiteboardAnnotationsReqMsg","SendWhiteboardAnnotationPubMsg","SendCursorPositionPubMsg","ClientToServerLatencyTracerMsg",
+      // Polling Messages
+      "StartCustomPollReqMsg","StartPollReqMsg","StopPollReqMsg","RespondToPollReqMsg","ShowPollResultReqMsg","HidePollResultReqMsg",
+      // Screenshare Messages
+      "GetScreenshareStatusReqMsg",
+      // Caption Messages
+      "SendCaptionHistoryReqMsg","UpdateCaptionOwnerPubMsg","EditCaptionHistoryPubMsg",
+      // Shared Notes Messages
+      "GetSharedNotesPubMsg","CreateSharedNoteReqMsg","DestroySharedNoteReqMsg","UpdateSharedNoteReqMsg","SyncSharedNotePubMsg","ClearSharedNotePubMsg",
+      // Layout Messages
+      "GetCurrentLayoutReqMsg","BroadcastLayoutMsg")
+}
\ No newline at end of file

bbb-apps-common/src/main/scala/org/bigbluebutton/client/meeting/UserActor.scala

@@ -94,25 +94,35 @@ class UserActor(val userId: String,
     val (result, error) = Deserializer.toBbbCoreMessageFromClient(msg.json)
     result match {
       case Some(msgFromClient) =>
-        val routing = Routing.addMsgFromClientRouting(msgFromClient.header.meetingId, msgFromClient.header.userId)
-        val envelope = new BbbCoreEnvelope(msgFromClient.header.name, routing)
-
-        if (msgFromClient.header.name == "ClientToServerLatencyTracerMsg") {
-          log.info("-- trace -- " + msg.json)
-        }
-
-        // Override the meetingId and userId on the message from client. This
-        // will prevent spoofing of messages. (ralam oct 30, 2017)
-        val newHeader = BbbClientMsgHeader(msgFromClient.header.name, meetingId, userId)
-        val msgClient = msgFromClient.copy(header = newHeader)
-        val json = JsonUtil.toJson(msgClient)
-        for {
-          jsonNode <- convertToJsonNode(json)
-        } yield {
-          val akkaMsg = BbbCommonEnvJsNodeMsg(envelope, jsonNode)
-          msgToAkkaAppsEventBus.publish(MsgToAkkaApps(toAkkaAppsChannel, akkaMsg))
+        if (!AllowedMessageNames.MESSAGES.contains(msgFromClient.header.name)) {
+          // If the message that the client sends isn't allowed disconnect them.
+          log.error("User (" + userId + ") tried to send a non-whitelisted message with name=[" + msgFromClient.header.name + "] attempting to disconnect them")
+          for {
+            conn <- Connections.findActiveConnection(conns)
+          } yield {
+            msgToClientEventBus.publish(MsgToClientBusMsg(toClientChannel, DisconnectClientMsg(meetingId, conn.connId)))
+          }
+        } else {
+          // Override the meetingId and userId on the message from client. This
+          // will prevent spoofing of messages. (ralam oct 30, 2017)
+          val newHeader = BbbClientMsgHeader(msgFromClient.header.name, meetingId, userId)
+          val msgClient = msgFromClient.copy(header = newHeader)
+          
+          val routing = Routing.addMsgFromClientRouting(msgClient.header.meetingId, msgClient.header.userId)
+          val envelope = new BbbCoreEnvelope(msgClient.header.name, routing)
+  
+          if (msgClient.header.name == "ClientToServerLatencyTracerMsg") {
+            log.info("-- trace -- " + msg.json)
+          }
+  
+          val json = JsonUtil.toJson(msgClient)
+          for {
+            jsonNode <- convertToJsonNode(json)
+          } yield {
+            val akkaMsg = BbbCommonEnvJsNodeMsg(envelope, jsonNode)
+            msgToAkkaAppsEventBus.publish(MsgToAkkaApps(toAkkaAppsChannel, akkaMsg))
+          }
         }
-
       case None =>
         log.error("Failed to convert message with error: " + error)
     }