From c0c52b5052c13813572a9169a014353243275849 Mon Sep 17 00:00:00 2001
From: Caleb Roseland <caleb@calebroseland.com>
Date: Wed, 4 Oct 2023 15:02:36 -0500
Subject: [PATCH] MM-54364: Prevent garbage telemetry for invalid run ids
 (#1873)

* path

* test: bad runId
---
 .../cypress/integration/channels/rhs_spec.js  | 27 +++++++++++++++++++
 webapp/src/rhs_opener.ts                      |  6 +++--
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/tests-e2e/cypress/integration/channels/rhs_spec.js b/tests-e2e/cypress/integration/channels/rhs_spec.js
index 1aa0d6cf74..b5a3984a7b 100644
--- a/tests-e2e/cypress/integration/channels/rhs_spec.js
+++ b/tests-e2e/cypress/integration/channels/rhs_spec.js
@@ -411,4 +411,31 @@ describe('channels > rhs', () => {
             cy.get('#rhsContainer').should('not.exist');
         });
     });
+
+    describe('telemetry', () => {
+        it('does not run with bad run id', () => {
+            // # Watch for bad request
+            cy.intercept('**/d0nt').as('telemetryRequest');
+
+            // # Run the playbook before loading the application
+            const now = Date.now();
+            const playbookRunName = 'Playbook Run (' + now + ')';
+            const playbookRunChannelName = 'playbook-run-' + now;
+            cy.apiRunPlaybook({
+                teamId: testTeam.id,
+                playbookId: testPlaybook.id,
+                playbookRunName,
+                ownerUserId: testUser.id,
+            });
+
+            // # Navigate to the application and a channel with a playbook run
+            cy.visit(`/${testTeam.name}/channels/${playbookRunChannelName}?telem_action=mock_action_name&telem_run_id=../../d0nt&forceRHSOpen`);
+
+            // * Ensure telemetry doesn't run
+            cy.wait(3000);
+            cy.get('@telemetryRequest.all').then((interceptions) => {
+                expect(interceptions).to.have.length(0);
+            });
+        });
+    });
 });
diff --git a/webapp/src/rhs_opener.ts b/webapp/src/rhs_opener.ts
index 954fe02a16..3f8581255c 100644
--- a/webapp/src/rhs_opener.ts
+++ b/webapp/src/rhs_opener.ts
@@ -56,8 +56,10 @@ export function makeRHSOpener(store: Store<GlobalState>): () => Promise<void> {
         if (searchParams.has('telem_action') && searchParams.has('telem_run_id')) {
             // Record and remove telemetry
             const action = searchParams.get('telem_action') || '';
-            const runId = searchParams.get('telem_run_id') || '';
-            telemetryEventForPlaybookRun(runId, action);
+            const runId = searchParams.get('telem_run_id')?.match(/^\w+$/)?.[0] || '';
+            if (action && runId) {
+                telemetryEventForPlaybookRun(runId, action);
+            }
             searchParams.delete('telem_action');
             searchParams.delete('telem_run_id');
             browserHistory.replace({pathname: url.pathname, search: searchParams.toString()});