fix: harden BigBlueButton app install flow

Author: Richard Nevins

packages/app-store/bigbluebutton/api/add.ts

@@ -1,34 +1,81 @@
 import { throwIfNotHaveAdminAccessToTeam } from "@calcom/app-store/_utils/throwIfNotHaveAdminAccessToTeam";
+import { ErrorCode } from "@calcom/lib/errorCodes";
+import { ErrorWithCode } from "@calcom/lib/errors";
 import { getServerErrorFromUnknown } from "@calcom/lib/server/getServerErrorFromUnknown";
 import prisma from "@calcom/prisma";
 import type { NextApiRequest, NextApiResponse } from "next";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
 
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+const getSingleQueryValue = (value: string | string[] | undefined) =>
+  Array.isArray(value) ? value[0] : value;
+
+const getTeamId = (value: string | string[] | undefined) => {
+  const rawTeamId = getSingleQueryValue(value);
+  if (!rawTeamId) {
+    return null;
+  }
+
+  if (!/^\d+$/.test(rawTeamId)) {
+    throw new ErrorWithCode(ErrorCode.BadRequest, "Invalid teamId");
+  }
+
+  return Number(rawTeamId);
+};
+
+const getSafeReturnTo = (value: string | string[] | undefined) => {
+  const returnTo = getSingleQueryValue(value);
+  if (
+    !returnTo ||
+    !returnTo.startsWith("/") ||
+    returnTo.startsWith("//") ||
+    /^[a-z][a-z\d+.-]*:/i.test(returnTo)
+  ) {
+    return getInstalledAppPath({
+      variant: "conferencing",
+      slug: "bigbluebutton",
+    });
+  }
+
+  return returnTo;
+};
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
   if (!req.session?.user?.id) {
-    return res.status(401).json({ message: "You must be logged in to do this" });
+    return res
+      .status(401)
+      .json({ message: "You must be logged in to do this" });
   }
 
   const { teamId, returnTo } = req.query;
 
-  await throwIfNotHaveAdminAccessToTeam({
-    teamId: teamId ? Number(teamId) : null,
-    userId: req.session.user.id,
-  });
+  try {
+    const teamIdNumber = getTeamId(teamId);
+
+    await throwIfNotHaveAdminAccessToTeam({
+      teamId: teamIdNumber,
+      userId: req.session.user.id,
+    });
 
-  const installForObject = teamId ? { teamId: Number(teamId) } : { userId: req.session.user.id };
-  const appType = "bigbluebutton_video";
+    const installForObject = teamIdNumber
+      ? { teamId: teamIdNumber }
+      : { userId: req.session.user.id };
+    const appType = "bigbluebutton_video";
 
-  try {
     const alreadyInstalled = await prisma.credential.findFirst({
       where: {
         type: appType,
         ...installForObject,
       },
+      select: {
+        id: true,
+      },
     });
 
     if (alreadyInstalled) {
-      throw new Error("Already installed");
+      throw new ErrorWithCode(ErrorCode.BookingConflict, "Already installed");
     }
 
     const installation = await prisma.credential.create({
@@ -38,17 +85,25 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
         ...installForObject,
         appId: "bigbluebutton",
       },
+      select: {
+        id: true,
+      },
     });
 
     if (!installation) {
-      throw new Error("Unable to create user credential for bigbluebutton");
+      throw new ErrorWithCode(
+        ErrorCode.InternalServerError,
+        "Unable to create user credential for bigbluebutton",
+      );
     }
   } catch (error: unknown) {
     const httpError = getServerErrorFromUnknown(error);
-    return res.status(httpError.statusCode).json({ message: httpError.message });
+    return res
+      .status(httpError.statusCode)
+      .json({ message: httpError.message });
   }
 
   return res.status(200).json({
-    url: returnTo ?? getInstalledAppPath({ variant: "conferencing", slug: "bigbluebutton" }),
+    url: getSafeReturnTo(returnTo),
   });
 }

packages/app-store/bigbluebutton/lib/VideoApiAdapter.ts

@@ -1,7 +1,10 @@
 import { createHash, randomUUID } from "node:crypto";
 import type { CalendarEvent, EventBusyDate } from "@calcom/types/Calendar";
 import type { PartialReference } from "@calcom/types/EventManager";
-import type { VideoApiAdapter, VideoCallData } from "@calcom/types/VideoApiAdapter";
+import type {
+  VideoApiAdapter,
+  VideoCallData,
+} from "@calcom/types/VideoApiAdapter";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import { metadata } from "../_metadata";
 
@@ -18,10 +21,22 @@ const normalizeApiUrl = (serverUrl: string) => {
 const checksum = (method: string, query: string, sharedSecret: string) =>
   createHash("sha1").update(`${method}${query}${sharedSecret}`).digest("hex");
 
-const deriveMeetingPassword = (role: "attendee" | "moderator", meetingID: string, sharedSecret: string) =>
-  createHash("sha256").update(`${role}:${meetingID}:${sharedSecret}`).digest("hex").slice(0, 24);
-
-const buildApiUrl = (apiUrl: string, method: string, params: URLSearchParams, sharedSecret: string) => {
+const deriveMeetingPassword = (
+  role: "attendee" | "moderator",
+  meetingID: string,
+  sharedSecret: string,
+) =>
+  createHash("sha256")
+    .update(`${role}:${meetingID}:${sharedSecret}`)
+    .digest("hex")
+    .slice(0, 24);
+
+const buildApiUrl = (
+  apiUrl: string,
+  method: string,
+  params: URLSearchParams,
+  sharedSecret: string,
+) => {
   const query = params.toString();
   const signedQuery = new URLSearchParams(params);
   signedQuery.set("checksum", checksum(method, query, sharedSecret));
@@ -37,7 +52,9 @@ const assertSuccessResponse = async (response: Response) => {
 };
 
 const getBigBlueButtonConfig = async () => {
-  const appKeys = (await getAppKeysFromSlug(metadata.slug)) as BigBlueButtonKeys;
+  const appKeys = (await getAppKeysFromSlug(
+    metadata.slug,
+  )) as BigBlueButtonKeys;
   const serverUrl = appKeys.bigBlueButtonServerUrl?.trim();
   const sharedSecret = appKeys.bigBlueButtonSharedSecret?.trim();
 
@@ -59,8 +76,16 @@ const BigBlueButtonVideoApiAdapter = (): VideoApiAdapter => {
     createMeeting: async (eventData: CalendarEvent): Promise<VideoCallData> => {
       const { apiUrl, sharedSecret } = await getBigBlueButtonConfig();
       const meetingID = eventData.uid || randomUUID();
-      const attendeePassword = deriveMeetingPassword("attendee", meetingID, sharedSecret);
-      const moderatorPassword = deriveMeetingPassword("moderator", meetingID, sharedSecret);
+      const attendeePassword = deriveMeetingPassword(
+        "attendee",
+        meetingID,
+        sharedSecret,
+      );
+      const moderatorPassword = deriveMeetingPassword(
+        "moderator",
+        meetingID,
+        sharedSecret,
+      );
 
       const createParams = new URLSearchParams({
         name: eventData.title,
@@ -70,7 +95,12 @@ const BigBlueButtonVideoApiAdapter = (): VideoApiAdapter => {
         record: "false",
       });
 
-      const createUrl = buildApiUrl(apiUrl, "create", createParams, sharedSecret);
+      const createUrl = buildApiUrl(
+        apiUrl,
+        "create",
+        createParams,
+        sharedSecret,
+      );
       await assertSuccessResponse(await fetch(createUrl));
 
       const joinParams = new URLSearchParams({
@@ -89,21 +119,35 @@ const BigBlueButtonVideoApiAdapter = (): VideoApiAdapter => {
     },
     deleteMeeting: async (uid: string): Promise<void> => {
       const { apiUrl, sharedSecret } = await getBigBlueButtonConfig();
-      const moderatorPassword = deriveMeetingPassword("moderator", uid, sharedSecret);
+      const moderatorPassword = deriveMeetingPassword(
+        "moderator",
+        uid,
+        sharedSecret,
+      );
 
       const endParams = new URLSearchParams({
         meetingID: uid,
         password: moderatorPassword,
       });
 
-      await assertSuccessResponse(await fetch(buildApiUrl(apiUrl, "end", endParams, sharedSecret)));
+      await assertSuccessResponse(
+        await fetch(buildApiUrl(apiUrl, "end", endParams, sharedSecret)),
+      );
     },
     updateMeeting: (bookingRef: PartialReference): Promise<VideoCallData> => {
+      const { meetingId, meetingPassword, meetingUrl } = bookingRef;
+
+      if (!meetingId || !meetingPassword || !meetingUrl) {
+        throw new Error(
+          "BigBlueButton booking reference is missing meeting data",
+        );
+      }
+
       return Promise.resolve({
         type: metadata.type,
-        id: bookingRef.meetingId as string,
-        password: bookingRef.meetingPassword as string,
-        url: bookingRef.meetingUrl as string,
+        id: meetingId,
+        password: meetingPassword,
+        url: meetingUrl,
       });
     },
   };