7f6a98fd7a
* [MM-66789] Fix arbitrary file read vulnerability in advanced logging
Add path validation to prevent reading files outside the logging root
directory via GetAdvancedLogs (used in support packet generation).
Security controls:
- Validate file paths are within logging root before reading
- Support MM_LOG_PATH environment variable to allow system admins
to configure a custom logging root directory
- Resolve symlinks to prevent bypass attacks
- Detect and block path traversal attempts
Also adds:
- Audit logging for support packet generation
- Config-time validation that logs errors for paths outside logging
root (will become blocking in future version)
- Comprehensive test coverage for path validation
* Update server/channels/app/platform/log_test.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix linter errors
* Update server/channels/api4/system.go
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>
* Simplify unit tests for platform/log_test.go by moving some test logic to config/logger_test.go
* Fix unit tests requiring logging root to be set
* enforce LogSettings.FileLocation path validation; simplify path checking
* fix linter errors
* use dir in logging root for all unit test logging
* MM_LOG_PATH is set once, centrally, for all tests
* fix flaky test
* fix flaky test
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>
|
||
|---|---|---|
| .github | ||
| api | ||
| e2e-tests | ||
| server | ||
| tools | ||
| webapp | ||
| .editorconfig | ||
| .gitignore | ||
| .gitpod.yml | ||
| .nvmrc | ||
| CHANGELOG.md | ||
| CODEOWNERS | ||
| CONTRIBUTING.md | ||
| enable-claude-docs.sh | ||
| LICENSE.enterprise | ||
| LICENSE.txt | ||
| NOTICE.txt | ||
| README.md | ||
| SECURITY.md | ||
Mattermost is an open core, self-hosted collaboration platform that offers chat, workflow automation, voice calling, screen sharing, and AI integration. This repo is the primary source for core development on the Mattermost platform; it's written in Go and React, runs as a single Linux binary, and relies on PostgreSQL. A new compiled version is released under an MIT license every month on the 16th.
Deploy Mattermost on-premises, or try it for free in the cloud.
Learn more about the following use cases with Mattermost:
Other useful resources:
- Download and Install Mattermost - Install, setup, and configure your own Mattermost instance.
- Product documentation - Learn how to run a Mattermost instance and take advantage of all the features.
- Developer documentation - Contribute code to Mattermost or build an integration via APIs, Webhooks, slash commands, Apps, and plugins.
Table of contents
- Install Mattermost
- Native mobile and desktop apps
- Get security bulletins
- Get involved
- Learn more
- License
- Get the latest news
- Contributing
Install Mattermost
- Download and Install Mattermost Self-Hosted - Deploy a Mattermost Self-hosted instance in minutes via Docker, Ubuntu, or tar.
- Get started in the cloud to try Mattermost today.
- Developer machine setup - Follow this guide if you want to write code for Mattermost.
Other install guides:
- Deploy Mattermost on Docker
- Mattermost Omnibus
- Install Mattermost from Tar
- Ubuntu 20.04 LTS
- Kubernetes
- Helm
- Debian Buster
- RHEL 8
- More server install guides
Native mobile and desktop apps
In addition to the web interface, you can also download Mattermost clients for Android, iOS, Windows PC, macOS, and Linux.
Get security bulletins
Receive notifications of critical security updates. The sophistication of online attackers is perpetually increasing. If you're deploying Mattermost it's highly recommended you subscribe to the Mattermost Security Bulletin mailing list for updates on critical security releases.
Get involved
- Contribute to Mattermost
- Find "Help Wanted" projects
- Join Developer Discussion on a Mattermost server for contributors
- Get Help With Mattermost
Learn more
- API options - webhooks, slash commands, drivers, and web service
- See who's using Mattermost
- Browse over 700 Mattermost integrations
License
See the LICENSE file for license rights and limitations.
Get the latest news
- X - Follow Mattermost on X, formerly Twitter.
- Blog - Get the latest updates from the Mattermost blog.
- Facebook - Follow Mattermost on Facebook.
- LinkedIn - Follow Mattermost on LinkedIn.
- Email - Subscribe to our newsletter (1 or 2 per month).
- Mattermost - Join the ~contributors channel on the Mattermost Community Server.
- IRC - Join the #matterbridge channel on Freenode (thanks to matterircd).
- YouTube - Subscribe to Mattermost.
Contributing
Please see CONTRIBUTING.md. Join the Mattermost Contributors server to join community discussions about contributions, development, and more.