Merge remote-tracking branch 'upstream/develop' into develop

# Conflicts:
#	src/api/integrations/channel/whatsapp/whatsapp.baileys.service.ts

Author: mbap-dev

.env.example

@@ -62,6 +62,7 @@ RABBITMQ_EVENTS_MESSAGES_EDITED=false
 RABBITMQ_EVENTS_MESSAGES_UPDATE=false
 RABBITMQ_EVENTS_MESSAGES_DELETE=false
 RABBITMQ_EVENTS_SEND_MESSAGE=false
+RABBITMQ_EVENTS_SEND_MESSAGE_UPDATE=false
 RABBITMQ_EVENTS_CONTACTS_SET=false
 RABBITMQ_EVENTS_CONTACTS_UPSERT=false
 RABBITMQ_EVENTS_CONTACTS_UPDATE=false
@@ -108,6 +109,7 @@ PUSHER_EVENTS_MESSAGES_EDITED=true
 PUSHER_EVENTS_MESSAGES_UPDATE=true
 PUSHER_EVENTS_MESSAGES_DELETE=true
 PUSHER_EVENTS_SEND_MESSAGE=true
+PUSHER_EVENTS_SEND_MESSAGE_UPDATE=true
 PUSHER_EVENTS_CONTACTS_SET=true
 PUSHER_EVENTS_CONTACTS_UPSERT=true
 PUSHER_EVENTS_CONTACTS_UPDATE=true
@@ -149,6 +151,7 @@ WEBHOOK_EVENTS_MESSAGES_EDITED=true
 WEBHOOK_EVENTS_MESSAGES_UPDATE=true
 WEBHOOK_EVENTS_MESSAGES_DELETE=true
 WEBHOOK_EVENTS_SEND_MESSAGE=true
+WEBHOOK_EVENTS_SEND_MESSAGE_UPDATE=true
 WEBHOOK_EVENTS_CONTACTS_SET=true
 WEBHOOK_EVENTS_CONTACTS_UPSERT=true
 WEBHOOK_EVENTS_CONTACTS_UPDATE=true

CHANGELOG.md

@@ -1,3 +1,9 @@
+# 2.2.4 (hotfix)
+
+### Fixed
+
+* Shell injection vulnerability
+
 # 2.2.3 (2025-02-03 11:52)
 
 ### Fixed

Docker/swarm/evolution_api_v2.yaml

@@ -34,6 +34,7 @@ services:
       - RABBITMQ_EVENTS_MESSAGES_UPDATE=false
       - RABBITMQ_EVENTS_MESSAGES_DELETE=false
       - RABBITMQ_EVENTS_SEND_MESSAGE=false
+      - RABBITMQ_EVENTS_SEND_MESSAGE_UPDATE=false
       - RABBITMQ_EVENTS_CONTACTS_SET=false
       - RABBITMQ_EVENTS_CONTACTS_UPSERT=false
       - RABBITMQ_EVENTS_CONTACTS_UPDATE=false
@@ -71,6 +72,7 @@ services:
       - WEBHOOK_EVENTS_MESSAGES_UPDATE=true
       - WEBHOOK_EVENTS_MESSAGES_DELETE=true
       - WEBHOOK_EVENTS_SEND_MESSAGE=true
+      - WEBHOOK_EVENTS_SEND_MESSAGE_UPDATE=true
       - WEBHOOK_EVENTS_CONTACTS_SET=true
       - WEBHOOK_EVENTS_CONTACTS_UPSERT=true
       - WEBHOOK_EVENTS_CONTACTS_UPDATE=true

src/api/integrations/channel/whatsapp/whatsapp.baileys.service.ts

@@ -1135,39 +1135,39 @@ export class BaileysStartupService extends ChannelStartupService {
           const editedMessage =
             received?.message?.protocolMessage || received?.message?.editedMessage?.message?.protocolMessage;
 
-          if (received.message?.protocolMessage?.editedMessage || received.message?.editedMessage?.message) {
-            if (editedMessage) {
-              if (this.configService.get<Chatwoot>('CHATWOOT').ENABLED && this.localChatwoot?.enabled)
-                this.chatwootService.eventWhatsapp(
-                  'messages.edit',
-                  { instanceName: this.instance.name, instanceId: this.instance.id },
-                  editedMessage,
-                );
+          if (received.message?.protocolMessage?.editedMessage && editedMessage) {
+            if (this.configService.get<Chatwoot>('CHATWOOT').ENABLED && this.localChatwoot?.enabled)
+              this.chatwootService.eventWhatsapp(
+                'messages.edit',
+                { instanceName: this.instance.name, instanceId: this.instance.id },
+                editedMessage,
+              );
 
-              await this.sendDataWebhook(Events.MESSAGES_EDITED, editedMessage);
-              const oldMessage = await this.getMessage(editedMessage.key, true);
-              if ((oldMessage as any)?.id) {
-                await this.prismaRepository.message.update({
-                  where: { id: (oldMessage as any).id },
-                  data: {
-                    message: editedMessage.editedMessage as any,
-                    messageTimestamp: typeof editedMessage.timestampMs === 'number'
-                        ? editedMessage.timestampMs
-                        : (editedMessage.timestampMs as any).toNumber(),
-                    status: 'EDITED',
-                  },
-                });
-                await this.prismaRepository.messageUpdate.create({
-                  data: {
-                    fromMe: editedMessage.key.fromMe,
-                    keyId: editedMessage.key.id,
-                    remoteJid: editedMessage.key.remoteJid,
-                    status: 'EDITED',
-                    instanceId: this.instanceId,
-                    messageId: (oldMessage as any).id,
-                  },
-                });
-              }
+            await this.sendDataWebhook(Events.MESSAGES_EDITED, editedMessage);
+            const oldMessage = await this.getMessage(editedMessage.key, true);
+            if ((oldMessage as any)?.id) {
+              const editedMessageTimestamp = Long.isLong(editedMessage?.timestampMs)
+                ? editedMessage.timestampMs?.toNumber()
+                : (editedMessage.timestampMs as number);
+
+              await this.prismaRepository.message.update({
+                where: { id: (oldMessage as any).id },
+                data: {
+                  message: editedMessage.editedMessage as any,
+                  messageTimestamp: editedMessageTimestamp,
+                  status: 'EDITED',
+                },
+              });
+              await this.prismaRepository.messageUpdate.create({
+                data: {
+                  fromMe: editedMessage.key.fromMe,
+                  keyId: editedMessage.key.id,
+                  remoteJid: editedMessage.key.remoteJid,
+                  status: 'EDITED',
+                  instanceId: this.instanceId,
+                  messageId: (oldMessage as any).id,
+                },
+              });
             }
           }
 
@@ -1225,7 +1225,9 @@ export class BaileysStartupService extends ChannelStartupService {
             existingChat &&
             received.pushName &&
             existingChat.name !== received.pushName &&
-            received.pushName.trim().length > 0
+            received.pushName.trim().length > 0 &&
+            !received.key.fromMe &&
+            !received.key.remoteJid.includes('@g.us')
           ) {
             this.sendDataWebhook(Events.CHATS_UPSERT, [{ ...existingChat, name: received.pushName }]);
             if (this.configService.get<Database>('DATABASE').SAVE_DATA.CHATS) {
@@ -1331,7 +1333,12 @@ export class BaileysStartupService extends ChannelStartupService {
 
                   const { buffer, mediaType, fileName, size } = media;
                   const mimetype = mimeTypes.lookup(fileName).toString();
-                  const fullName = join(`${this.instance.id}`, received.key.remoteJid, mediaType, fileName);
+                  const fullName = join(
+                    `${this.instance.id}`,
+                    received.key.remoteJid,
+                    mediaType,
+                    `${Date.now()}_${fileName}`,
+                  );
                   await s3Service.uploadFile(fullName, buffer, size.fileLength?.low, {
                     'Content-Type': mimetype,
                   });
@@ -1579,7 +1586,6 @@ export class BaileysStartupService extends ChannelStartupService {
             const chatToInsert = {
               remoteJid: message.remoteJid,
               instanceId: this.instanceId,
-              name: message.pushName || '',
               unreadMessages: 0,
             };
 
@@ -2753,15 +2759,35 @@ export class BaileysStartupService extends ChannelStartupService {
         imageBuffer = Buffer.from(response.data, 'binary');
       }
 
-      const webpBuffer = await sharp(imageBuffer).webp().toBuffer();
+      const isAnimated = this.isAnimated(image, imageBuffer);
 
-      return webpBuffer;
+      if (isAnimated) {
+        return await sharp(imageBuffer, { animated: true }).webp({ quality: 80 }).toBuffer();
+      } else {
+        return await sharp(imageBuffer).webp().toBuffer();
+      }
     } catch (error) {
       console.error('Erro ao converter a imagem para WebP:', error);
       throw error;
     }
   }
 
+  private isAnimatedWebp(buffer: Buffer): boolean {
+    if (buffer.length < 12) return false;
+
+    return buffer.indexOf(Buffer.from('ANIM')) !== -1;
+  }
+
+  private isAnimated(image: string, buffer: Buffer): boolean {
+    const lowerCaseImage = image.toLowerCase();
+
+    if (lowerCaseImage.includes('.gif')) return true;
+
+    if (lowerCaseImage.includes('.webp')) return this.isAnimatedWebp(buffer);
+
+    return false;
+  }
+
   public async mediaSticker(data: SendStickerDto, file?: any) {
     const mediaData: SendStickerDto = { ...data };
 
@@ -3973,71 +3999,71 @@ export class BaileysStartupService extends ChannelStartupService {
         throw new BadRequestException('Message is older than 15 minutes');
       }
 
-      const response = await this.client.sendMessage(jid, {
+      const messageSent = await this.client.sendMessage(jid, {
         ...(options as any),
         edit: data.key,
       });
-      if (response) {
-        const messageId = response.message?.protocolMessage?.key?.id;
-        if (messageId) {
-          let message = await this.prismaRepository.message.findFirst({
-            where: {
-              key: {
-                path: ['id'],
-                equals: messageId,
+      if (messageSent) {
+        const editedMessage =
+          messageSent?.message?.protocolMessage || messageSent?.message?.editedMessage?.message?.protocolMessage;
+
+        if (editedMessage) {
+          this.sendDataWebhook(Events.SEND_MESSAGE_UPDATE, editedMessage);
+          if (this.configService.get<Chatwoot>('CHATWOOT').ENABLED && this.localChatwoot?.enabled)
+            this.chatwootService.eventWhatsapp(
+              'send.message.update',
+              { instanceName: this.instance.name, instanceId: this.instance.id },
+              editedMessage,
+            );
+
+          const messageId = messageSent.message?.protocolMessage?.key?.id;
+          if (messageId) {
+            let message = await this.prismaRepository.message.findFirst({
+              where: {
+                key: {
+                  path: ['id'],
+                  equals: messageId,
+                },
               },
-            },
-          });
-          if (!message) throw new NotFoundException('Message not found');
+            });
+            if (!message) throw new NotFoundException('Message not found');
 
-          if (!(message.key.valueOf() as any).fromMe) {
-            new BadRequestException('You cannot edit others messages');
-          }
-          if ((message.key.valueOf() as any)?.deleted) {
-            new BadRequestException('You cannot edit deleted messages');
-          }
-          if (oldMessage.messageType === 'conversation' || oldMessage.messageType === 'extendedTextMessage') {
-            oldMessage.message.conversation = data.text;
-          } else {
-            oldMessage.message[oldMessage.messageType].caption = data.text;
-          }
-          message = await this.prismaRepository.message.update({
-            where: { id: message.id },
-            data: {
-              message: oldMessage.message,
+            if (!(message.key.valueOf() as any).fromMe) {
+              new BadRequestException('You cannot edit others messages');
+            }
+            if ((message.key.valueOf() as any)?.deleted) {
+              new BadRequestException('You cannot edit deleted messages');
+            }
+            if (oldMessage.messageType === 'conversation' || oldMessage.messageType === 'extendedTextMessage') {
+              oldMessage.message.conversation = data.text;
+            } else {
+              oldMessage.message[oldMessage.messageType].caption = data.text;
+            }
+            message = await this.prismaRepository.message.update({
+              where: { id: message.id },
+              data: {
+                message: oldMessage.message,
+                status: 'EDITED',
+                messageTimestamp: Math.floor(Date.now() / 1000), // Convert to int32 by dividing by 1000 to get seconds
+              },
+            });
+            const messageUpdate: any = {
+              messageId: message.id,
+              keyId: messageId,
+              remoteJid: messageSent.key.remoteJid,
+              fromMe: messageSent.key.fromMe,
+              participant: messageSent.key?.remoteJid,
               status: 'EDITED',
-              messageTimestamp: Math.floor(Date.now() / 1000), // Convert to int32 by dividing by 1000 to get seconds
-            },
-          });
-          const messageUpdate: any = {
-            messageId: message.id,
-            keyId: messageId,
-            remoteJid: response.key.remoteJid,
-            fromMe: response.key.fromMe,
-            participant: response.key?.remoteJid,
-            status: 'EDITED',
-            instanceId: this.instanceId,
-          };
-          await this.prismaRepository.messageUpdate.create({
-            data: messageUpdate,
-          });
-
-          this.sendDataWebhook(Events.MESSAGES_EDITED, {
-            id: message.id,
-            instanceId: message.instanceId,
-            key: message.key,
-            messageType: message.messageType,
-            status: 'EDITED',
-            source: message.source,
-            messageTimestamp: message.messageTimestamp,
-            pushName: message.pushName,
-            participant: message.participant,
-            message: message.message,
-          });
+              instanceId: this.instanceId,
+            };
+            await this.prismaRepository.messageUpdate.create({
+              data: messageUpdate,
+            });
+          }
         }
       }
 
-      return response;
+      return messageSent;
     } catch (error) {
       this.logger.error(error);
       throw error;

src/api/integrations/chatbot/chatwoot/services/chatwoot.service.ts

@@ -2218,7 +2218,7 @@ export class ChatwootService {
         }
       }
 
-      if (event === 'messages.edit') {
+      if (event === 'messages.edit' || event === 'send.message.update') {
         const editedText = `${
           body?.editedMessage?.conversation || body?.editedMessage?.extendedTextMessage?.text
         }\n\n_\`${i18next.t('cw.message.edited')}.\`_`;

src/api/integrations/event/event.controller.ts

@@ -132,6 +132,7 @@ export class EventController {
     'MESSAGES_UPDATE',
     'MESSAGES_DELETE',
     'SEND_MESSAGE',
+    'SEND_MESSAGE_UPDATE',
     'CONTACTS_SET',
     'CONTACTS_UPSERT',
     'CONTACTS_UPDATE',

src/api/integrations/storage/s3/libs/minio.server.ts

@@ -63,9 +63,9 @@ const createBucket = async () => {
       if (!exists) {
         await minioClient.makeBucket(bucketName);
       }
-
-      await setBucketPolicy();
-
+      if (!BUCKET.SKIP_POLICY) {
+        await setBucketPolicy();
+      }
       logger.info(`S3 Bucket ${bucketName} - ON`);
       return true;
     } catch (error) {

src/api/provider/sessions.ts

@@ -1,7 +1,7 @@
 import { Auth, ConfigService, ProviderSession } from '@config/env.config';
 import { Logger } from '@config/logger.config';
 import axios from 'axios';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 
 type ResponseSuccess = { status: number; data?: any };
 type ResponseProvider = Promise<[ResponseSuccess?, Error?]>;
@@ -36,7 +36,7 @@ export class ProviderFiles {
       } catch (error) {
         this.logger.error(['Failed to connect to the file server', error?.message, error?.stack]);
         const pid = process.pid;
-        execSync(`kill -9 ${pid}`);
+        execFileSync('kill', ['-9', `${pid}`]);
       }
     }
   }