RocketChat · ggazzo · Jun 21, 2024 · May 6, 2024 · May 27, 2024 · May 27, 2024
diff --git a/.changeset/happy-windows-drum.md b/.changeset/happy-windows-drum.md
@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed an issue that allowed saveSettings method to save NaN values on numeric settings.
diff --git a/apps/meteor/app/lib/server/methods/saveSettings.ts b/apps/meteor/app/lib/server/methods/saveSettings.ts
@@ -85,6 +85,12 @@ Meteor.methods<ServerMethods>({
 						case 'timespan':
 						case 'int':
 							check(value, Number);
+							if (!Number.isInteger(value)) {
+								throw new Meteor.Error(`Invalid setting value ${value}`, 'Invalid setting value', {
+									method: 'saveSettings',
+								});
+							}
+
 							break;
 						case 'multiSelect':
 							check(value, Array);

@@ -28,6 +28,10 @@ export class Admin {
 		return this.page.locator('button >> text="Save"');
 	}
 
+	get btnSaveSettings(): Locator {
+		return this.page.getByRole('button', { name: 'Save changes' });
+	}
+
 	get btnEdit(): Locator {
 		return this.page.locator('button >> text="Edit"');
 	}

@@ -0,0 +1,25 @@
+import { Users } from './fixtures/userStates';
+import { Admin } from './page-objects';
+import { test, expect } from './utils/test';
+
+test.use({ storageState: Users.admin.state });
+
+test.describe.serial('settings-int', () => {
+	let poAdmin: Admin;
+
+	test.beforeEach(async ({ page }) => {
+		poAdmin = new Admin(page);
+		await page.goto('/admin/settings/Message');
+
+		await expect(page.locator('[data-qa-type="PageHeader-title"]')).toHaveText('Message');
+	});
+
+	test('expect not being able to set int value as empty string', async ({ page }) => {
+		await page.locator('#Message_AllowEditing_BlockEditInMinutes').fill('');
+		await page.locator('#Message_AllowEditing_BlockEditInMinutes').blur();
+
+		await poAdmin.btnSaveSettings.click();
+
+		await expect(page.locator('.rcx-toastbar.rcx-toastbar--error')).toBeVisible();
+	});
+});
@@ -3108,4 +3108,69 @@ describe('Meteor.methods', function () {
 			});
 		});
 	});
+
+	describe('[@saveSettings]', () => {
+		it('should return an error when trying to save a "NaN" value', () => {
+			request
+				.post(api('method.call/saveSettings'))
+				.set(credentials)
+				.send({
+					message: JSON.stringify({
+						msg: 'method',
+						id: '13',
+						method: 'saveSettings',
+						params: [[{ _id: 'Message_AllowEditing_BlockEditInMinutes', value: { $InfNaN: 0 } }]],
+					}),
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					const parsedBody = JSON.parse(res.body.message);
+					expect(parsedBody).to.have.property('error');
+					expect(parsedBody.error).to.have.property('error', 'Invalid setting value NaN');
+				});
+		});
+
+		it('should return an error when trying to save a "Infinity" value', () => {
+			request
+				.post(api('method.call/saveSettings'))
+				.set(credentials)
+				.send({
+					message: JSON.stringify({
+						msg: 'method',
+						id: '13',
+						method: 'saveSettings',
+						params: [[{ _id: 'Message_AllowEditing_BlockEditInMinutes', value: { $InfNaN: 1 } }]],
+					}),
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					const parsedBody = JSON.parse(res.body.message);
+					expect(parsedBody).to.have.property('error');
+					expect(parsedBody.error).to.have.property('error', 'Invalid setting value Infinity');
+				});
+		});
+
+		it('should return an error when trying to save a "-Infinity" value', () => {
+			request
+				.post(api('method.call/saveSettings'))
+				.set(credentials)
+				.send({
+					message: JSON.stringify({
+						msg: 'method',
+						id: '13',
+						method: 'saveSettings',
+						params: [[{ _id: 'Message_AllowEditing_BlockEditInMinutes', value: { $InfNaN: -1 } }]],
+					}),
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					const parsedBody = JSON.parse(res.body.message);
+					expect(parsedBody).to.have.property('error');
+					expect(parsedBody.error).to.have.property('error', 'Invalid setting value -Infinity');
+				});
+		});
+	});
 });