refactor: remove unnecessary ReactElement type annotations in functional components#40819
Merged
Merged
Conversation
|
Contributor
WalkthroughTypeScript React typings were simplified across room, root, webdav, video, and teams UI components. Many components dropped explicit ChangesReact typing cleanup
Sequence Diagram(s)Not applicable. Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
|
Contributor
|
Looks like this PR is ready to merge! 🎉 |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #40819 +/- ##
===========================================
- Coverage 70.15% 70.14% -0.02%
===========================================
Files 3342 3342
Lines 123735 123668 -67
Branches 22099 22061 -38
===========================================
- Hits 86812 86744 -68
+ Misses 33577 33569 -8
- Partials 3346 3355 +9
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
tassoevan
force-pushed
the
refactor/prepare-types-for-react-19-17
branch
from
a921668 to
ee7cd95
Compare
…nal components - Removed ReactElement type annotations from various functional components across the application for cleaner code. - Updated components such as ReactionListModal, ReactionUserTag, Reactions, ReadReceiptRow, ReadReceiptsModal, ReportMessageModal, ChatProvider, RoomProvider, and others to improve consistency and readability.
tassoevan
force-pushed
the
refactor/prepare-types-for-react-19-17
branch
from
ee7cd95 to
1331170
Compare
tassoevan
added
the
stat: QA assured
dionisio-bot
Bot
added
the
stat: ready to merge
ggazzo
approved these changes
Jun 9, 2026
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
No issues found across 150 files
Note: This PR contains a large number of files. cubic only reviews up to 100 files per PR, so some files may not have been reviewed. cubic prioritizes the most important files to review.
On a pro plan you can use ultrareview for larger PRs.
Re-trigger cubic
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
apps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsx (1)
29-36:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAvoid mutating previous state in
setSelectedRoomsupdater.
delete selectedRooms[room._id]mutates the previous state object before returning a copy. Build the next state immutably from the previous state to avoid subtle state bugs.Proposed fix
const onChangeRoomSelection = useCallback((room: Serialized<IRoom>) => { setSelectedRooms((selectedRooms) => { if (selectedRooms[room._id]) { - delete selectedRooms[room._id]; - return { ...selectedRooms }; + const { [room._id]: _removed, ...rest } = selectedRooms; + return rest; } return { ...selectedRooms, [room._id]: room }; }); }, []);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsx` around lines 29 - 36, The updater in onChangeRoomSelection mutates the previous state by calling delete on selectedRooms[room._id]; change it to build the next state immutably: inside the setSelectedRooms callback, create a new object (e.g., const next = { ...selectedRooms }) and either delete next[room._id] on that copy before returning it, or use object destructuring to omit the key (const { [room._id]: _, ...next } = selectedRooms; return next), ensuring you reference onChangeRoomSelection, setSelectedRooms, selectedRooms and room._id when applying the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@apps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTable.tsx`:
- Line 42: The current implementation mutates the incoming rooms array and uses
an asymmetric comparator causing unstable order; fix by sorting a shallow copy
(e.g., [...rooms]) instead of rooms in-place and replace the comparator logic in
the sort call so it handles missing values symmetrically: first check presence
of a[sortBy] vs b[sortBy] and return +direction / -direction to consistently
place missing values, otherwise call localeCompare on the two non-null strings
and multiply by direction; update the sort invocation that references rooms,
sortBy and direction in ChannelDesertionTable.tsx.
- Around line 60-68: The list rendering uses the array index as React key which
can cause state mismatches; update the ChannelDesertionTable render so
ChannelDesertionTableRow uses a stable unique key (use room._id) instead of
key={key}; locate the map over results and change key to something like
key={('_id' in room && room._id) ? room._id : `room-${indexOrFallback}`}
ensuring you reference the results variable, each room object, and
ChannelDesertionTableRow and keep the existing selectedRooms logic intact.
---
Outside diff comments:
In
`@apps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsx`:
- Around line 29-36: The updater in onChangeRoomSelection mutates the previous
state by calling delete on selectedRooms[room._id]; change it to build the next
state immutably: inside the setSelectedRooms callback, create a new object
(e.g., const next = { ...selectedRooms }) and either delete next[room._id] on
that copy before returning it, or use object destructuring to omit the key
(const { [room._id]: _, ...next } = selectedRooms; return next), ensuring you
reference onChangeRoomSelection, setSelectedRooms, selectedRooms and room._id
when applying the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 06965fac-ac2e-482c-b0db-0685236b4923
📒 Files selected for processing (150)
apps/meteor/client/views/room/E2EESetup/RoomE2EENotAllowed.tsxapps/meteor/client/views/room/Header/FederatedRoomOriginServer.tsxapps/meteor/client/views/room/Header/Header.tsxapps/meteor/client/views/room/Header/HeaderIconWithRoom.tsxapps/meteor/client/views/room/Header/Omnichannel/BackButton.tsxapps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/MessageList/MessageListErrorBoundary.tsxapps/meteor/client/views/room/MessageList/providers/MessageHighlightProvider.tsxapps/meteor/client/views/room/NotSubscribedRoom.tsxapps/meteor/client/views/room/Room.tsxapps/meteor/client/views/room/RoomNotFound.tsxapps/meteor/client/views/room/RoomOpener.tsxapps/meteor/client/views/room/RoomOpenerEmbedded.tsxapps/meteor/client/views/room/RoomSkeleton.tsxapps/meteor/client/views/room/ShareLocation/ShareLocationModal.tsxapps/meteor/client/views/room/UserCard/UserCardWithData.tsxapps/meteor/client/views/room/body/DropTargetOverlay.tsxapps/meteor/client/views/room/body/JumpToRecentMessageButton.tsxapps/meteor/client/views/room/body/LoadingMessagesIndicator.tsxapps/meteor/client/views/room/body/RetentionPolicyWarning.tsxapps/meteor/client/views/room/body/RoomBody.tsxapps/meteor/client/views/room/body/RoomForeword/RoomForeword.tsxapps/meteor/client/views/room/body/UnreadMessagesIndicator.tsxapps/meteor/client/views/room/body/UploadProgress/UploadProgressIndicator.tsxapps/meteor/client/views/room/composer/ComposerAirGappedRestricted.tsxapps/meteor/client/views/room/composer/ComposerAnonymous.tsxapps/meteor/client/views/room/composer/ComposerArchived.tsxapps/meteor/client/views/room/composer/ComposerBlocked.tsxapps/meteor/client/views/room/composer/ComposerBoxPopup.tsxapps/meteor/client/views/room/composer/ComposerContainer.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederation.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationDisabled.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationInvalidVersion.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationJoinRoomDisabled.tsxapps/meteor/client/views/room/composer/ComposerJoinWithPassword.tsxapps/meteor/client/views/room/composer/ComposerMessage.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelInquiry.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelJoin.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelOnHold.tsxapps/meteor/client/views/room/composer/ComposerReadOnly.tsxapps/meteor/client/views/room/composer/ComposerSelectMessages.tsxapps/meteor/client/views/room/composer/ComposerUserActionIndicator/ComposerUserActionIndicator.tsxapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.tsapps/meteor/client/views/room/composer/messageBox/MessageBox.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxHint.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReplies.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReply.tsxapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslate.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslateWithData.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsers.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsersItem.tsxapps/meteor/client/views/room/contextualBar/Discussions/components/DiscussionsListItem.tsxapps/meteor/client/views/room/contextualBar/MentionsTab.tsxapps/meteor/client/views/room/contextualBar/MessageListTab.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferences.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferencesWithData.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationByDevice.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationPreference.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationToggle.tsxapps/meteor/client/views/room/contextualBar/PinnedMessagesTab.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessages.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesDateTimeRow.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesWithData.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddMatrixUsers/AddMatrixUsersModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddUsers.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/BannedUsersUnbanModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/EditInviteLink.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteLink.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsers.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersEdit.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersError.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersLoading.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWithData.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWrapper.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembers.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersActions.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersItem.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersRow.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListItem.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMessage.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMetrics.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadSkeleton.tsxapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoActions.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfBlockModal.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfConfigModal.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfList.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfListItem.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/IncomingPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/OutgoingPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/StartCallPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/TimedVideoConfPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/VideoConfPopupRoomInfo.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopups.tsxapps/meteor/client/views/room/contextualBar/uikit/UiKitContextualBar.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeModeratorAction.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeOwnerAction.tsxapps/meteor/client/views/room/layout/RoomLayout.tsxapps/meteor/client/views/room/modals/E2EEModals/BaseDisableE2EEModal.tsxapps/meteor/client/views/room/modals/E2EEModals/DisableE2EEModal.tsxapps/meteor/client/views/room/modals/E2EEModals/EnableE2EEModal.tsxapps/meteor/client/views/room/modals/E2EEModals/ResetKeysE2EEModal.tsxapps/meteor/client/views/room/modals/FileUploadModal/FilePreview.tsxapps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsxapps/meteor/client/views/room/modals/FileUploadModal/GenericPreview.tsxapps/meteor/client/views/room/modals/FileUploadModal/ImagePreview.tsxapps/meteor/client/views/room/modals/FileUploadModal/MediaPreview.tsxapps/meteor/client/views/room/modals/FileUploadModal/PreviewSkeleton.tsxapps/meteor/client/views/room/modals/ForwardMessageModal/ForwardMessageModal.tsxapps/meteor/client/views/room/modals/PinMessageModal/PinMessageModal.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionListModal.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionUserTag.tsxapps/meteor/client/views/room/modals/ReactionListModal/Reactions.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptRow.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptsModal.tsxapps/meteor/client/views/room/modals/ReportMessageModal/ReportMessageModal.tsxapps/meteor/client/views/room/providers/ChatProvider.tsxapps/meteor/client/views/room/providers/RoomProvider.tsxapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/webdav/AddWebdavAccountModal.tsxapps/meteor/client/views/room/webdav/SaveToWebdavModal.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/FilePickerBreadcrumbs.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGrid.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGridItem.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerModal.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerTable.tsxapps/meteor/client/views/root/AppErrorPage.tsxapps/meteor/client/views/root/AppRoot.tsxapps/meteor/client/views/root/MainLayout/AuthenticationCheck.tsxapps/meteor/client/views/root/MainLayout/EmbeddedPreload.tsxapps/meteor/client/views/root/MainLayout/LayoutWithSidebar.tsxapps/meteor/client/views/root/MainLayout/LoginPage.tsxapps/meteor/client/views/root/MainLayout/MainLayout.tsxapps/meteor/client/views/root/MainLayout/PasswordChangeCheck.tsxapps/meteor/client/views/root/MainLayout/Preload.tsxapps/meteor/client/views/root/MainLayout/TwoFactorAuthSetupCheck.tsxapps/meteor/client/views/root/MainLayout/UsernameCheck.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTable.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTableRow.tsxapps/meteor/client/views/teams/contextualBar/info/DeleteTeam/DeleteTeamModalWithRooms.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalChannels.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalConfirmation.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamWithData.tsxapps/meteor/client/views/teams/contextualBar/info/TeamsInfo.tsx
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
- GitHub Check: 🔎 Code Check / TypeScript
- GitHub Check: 🔎 Code Check / Code Lint
- GitHub Check: 🔨 Test Storybook / Test Storybook
- GitHub Check: 🔨 Test Unit / Unit Tests
- GitHub Check: 📦 Meteor Build (coverage)
- GitHub Check: cubic · AI code reviewer
- GitHub Check: Hacktron Security Check
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
apps/meteor/client/views/room/contextualBar/Threads/components/ThreadSkeleton.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationInvalidVersion.tsxapps/meteor/client/views/room/RoomSkeleton.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionUserTag.tsxapps/meteor/client/views/room/contextualBar/uikit/UiKitContextualBar.tsxapps/meteor/client/views/room/body/LoadingMessagesIndicator.tsxapps/meteor/client/views/room/composer/ComposerBlocked.tsxapps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/modals/E2EEModals/EnableE2EEModal.tsxapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGridItem.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGrid.tsxapps/meteor/client/views/room/Header/Omnichannel/BackButton.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationByDevice.tsxapps/meteor/client/views/room/modals/FileUploadModal/PreviewSkeleton.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptRow.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteLink.tsxapps/meteor/client/views/root/MainLayout/MainLayout.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersRow.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationToggle.tsxapps/meteor/client/views/room/Header/FederatedRoomOriginServer.tsxapps/meteor/client/views/root/MainLayout/AuthenticationCheck.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersItem.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationPreference.tsxapps/meteor/client/views/room/body/RetentionPolicyWarning.tsxapps/meteor/client/views/root/MainLayout/TwoFactorAuthSetupCheck.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationJoinRoomDisabled.tsxapps/meteor/client/views/root/AppErrorPage.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerTable.tsxapps/meteor/client/views/room/body/DropTargetOverlay.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesDateTimeRow.tsxapps/meteor/client/views/room/MessageList/providers/MessageHighlightProvider.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionListModal.tsxapps/meteor/client/views/room/modals/FileUploadModal/MediaPreview.tsxapps/meteor/client/views/root/MainLayout/UsernameCheck.tsxapps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsxapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfBlockModal.tsxapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/modals/FileUploadModal/ImagePreview.tsxapps/meteor/client/views/root/MainLayout/PasswordChangeCheck.tsxapps/meteor/client/views/room/modals/FileUploadModal/FilePreview.tsxapps/meteor/client/views/room/MessageList/MessageListErrorBoundary.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembers.tsxapps/meteor/client/views/room/modals/FileUploadModal/GenericPreview.tsxapps/meteor/client/views/room/RoomOpener.tsxapps/meteor/client/views/room/contextualBar/MessageListTab.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWrapper.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslateWithData.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoActions.tsxapps/meteor/client/views/root/MainLayout/LoginPage.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfListItem.tsxapps/meteor/client/views/room/Room.tsxapps/meteor/client/views/teams/contextualBar/info/TeamsInfo.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReplies.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederation.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsers.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationDisabled.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersError.tsxapps/meteor/client/views/room/body/JumpToRecentMessageButton.tsxapps/meteor/client/views/room/modals/ReactionListModal/Reactions.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalConfirmation.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerModal.tsxapps/meteor/client/views/room/composer/ComposerAnonymous.tsxapps/meteor/client/views/room/composer/ComposerContainer.tsxapps/meteor/client/views/root/MainLayout/EmbeddedPreload.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListItem.tsxapps/meteor/client/views/room/composer/messageBox/MessageBox.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelJoin.tsxapps/meteor/client/views/root/MainLayout/LayoutWithSidebar.tsxapps/meteor/client/views/room/composer/ComposerArchived.tsxapps/meteor/client/views/room/contextualBar/MentionsTab.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddMatrixUsers/AddMatrixUsersModal.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslate.tsxapps/meteor/client/views/room/RoomNotFound.tsxapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.tsapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfConfigModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersActions.tsxapps/meteor/client/views/room/body/RoomForeword/RoomForeword.tsxapps/meteor/client/views/room/layout/RoomLayout.tsxapps/meteor/client/views/room/composer/ComposerMessage.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReply.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferences.tsxapps/meteor/client/views/room/body/RoomBody.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersEdit.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/VideoConfPopupRoomInfo.tsxapps/meteor/client/views/room/modals/E2EEModals/ResetKeysE2EEModal.tsxapps/meteor/client/views/room/composer/ComposerUserActionIndicator/ComposerUserActionIndicator.tsxapps/meteor/client/views/room/body/UnreadMessagesIndicator.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMessage.tsxapps/meteor/client/views/room/contextualBar/Discussions/components/DiscussionsListItem.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelInquiry.tsxapps/meteor/client/views/room/providers/RoomProvider.tsxapps/meteor/client/views/room/NotSubscribedRoom.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTableRow.tsxapps/meteor/client/views/room/providers/ChatProvider.tsxapps/meteor/client/views/root/MainLayout/Preload.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/FilePickerBreadcrumbs.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptsModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalChannels.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopups.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsersItem.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddUsers.tsxapps/meteor/client/views/room/composer/ComposerJoinWithPassword.tsxapps/meteor/client/views/root/AppRoot.tsxapps/meteor/client/views/room/Header/HeaderIconWithRoom.tsxapps/meteor/client/views/room/webdav/SaveToWebdavModal.tsxapps/meteor/client/views/room/ShareLocation/ShareLocationModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWithData.tsxapps/meteor/client/views/room/modals/E2EEModals/DisableE2EEModal.tsxapps/meteor/client/views/room/modals/PinMessageModal/PinMessageModal.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessages.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeOwnerAction.tsxapps/meteor/client/views/room/contextualBar/PinnedMessagesTab.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMetrics.tsxapps/meteor/client/views/room/E2EESetup/RoomE2EENotAllowed.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfList.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/IncomingPopup.tsxapps/meteor/client/views/room/composer/ComposerReadOnly.tsxapps/meteor/client/views/room/Header/Header.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/BannedUsersUnbanModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersLoading.tsxapps/meteor/client/views/room/composer/ComposerBoxPopup.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelOnHold.tsxapps/meteor/client/views/room/RoomOpenerEmbedded.tsxapps/meteor/client/views/room/composer/ComposerSelectMessages.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferencesWithData.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/StartCallPopup.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamWithData.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/EditInviteLink.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTable.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeModeratorAction.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsers.tsxapps/meteor/client/views/teams/contextualBar/info/DeleteTeam/DeleteTeamModalWithRooms.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxHint.tsxapps/meteor/client/views/room/modals/E2EEModals/BaseDisableE2EEModal.tsxapps/meteor/client/views/room/body/UploadProgress/UploadProgressIndicator.tsxapps/meteor/client/views/room/webdav/AddWebdavAccountModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/TimedVideoConfPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/OutgoingPopup.tsxapps/meteor/client/views/room/modals/ForwardMessageModal/ForwardMessageModal.tsxapps/meteor/client/views/room/UserCard/UserCardWithData.tsxapps/meteor/client/views/room/modals/ReportMessageModal/ReportMessageModal.tsxapps/meteor/client/views/room/composer/ComposerAirGappedRestricted.tsx
🧠 Learnings (6)
📚 Learning: 2026-03-27T14:52:56.865Z
Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.
Applied to files:
apps/meteor/client/views/room/contextualBar/Threads/components/ThreadSkeleton.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationInvalidVersion.tsxapps/meteor/client/views/room/RoomSkeleton.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionUserTag.tsxapps/meteor/client/views/room/contextualBar/uikit/UiKitContextualBar.tsxapps/meteor/client/views/room/body/LoadingMessagesIndicator.tsxapps/meteor/client/views/room/composer/ComposerBlocked.tsxapps/meteor/client/views/room/modals/E2EEModals/EnableE2EEModal.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGridItem.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGrid.tsxapps/meteor/client/views/room/Header/Omnichannel/BackButton.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationByDevice.tsxapps/meteor/client/views/room/modals/FileUploadModal/PreviewSkeleton.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptRow.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteLink.tsxapps/meteor/client/views/root/MainLayout/MainLayout.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersRow.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationToggle.tsxapps/meteor/client/views/room/Header/FederatedRoomOriginServer.tsxapps/meteor/client/views/root/MainLayout/AuthenticationCheck.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersItem.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationPreference.tsxapps/meteor/client/views/room/body/RetentionPolicyWarning.tsxapps/meteor/client/views/root/MainLayout/TwoFactorAuthSetupCheck.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationJoinRoomDisabled.tsxapps/meteor/client/views/root/AppErrorPage.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerTable.tsxapps/meteor/client/views/room/body/DropTargetOverlay.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesDateTimeRow.tsxapps/meteor/client/views/room/MessageList/providers/MessageHighlightProvider.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionListModal.tsxapps/meteor/client/views/room/modals/FileUploadModal/MediaPreview.tsxapps/meteor/client/views/root/MainLayout/UsernameCheck.tsxapps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfBlockModal.tsxapps/meteor/client/views/room/modals/FileUploadModal/ImagePreview.tsxapps/meteor/client/views/root/MainLayout/PasswordChangeCheck.tsxapps/meteor/client/views/room/modals/FileUploadModal/FilePreview.tsxapps/meteor/client/views/room/MessageList/MessageListErrorBoundary.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembers.tsxapps/meteor/client/views/room/modals/FileUploadModal/GenericPreview.tsxapps/meteor/client/views/room/RoomOpener.tsxapps/meteor/client/views/room/contextualBar/MessageListTab.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWrapper.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslateWithData.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoActions.tsxapps/meteor/client/views/root/MainLayout/LoginPage.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfListItem.tsxapps/meteor/client/views/room/Room.tsxapps/meteor/client/views/teams/contextualBar/info/TeamsInfo.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReplies.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederation.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsers.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationDisabled.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersError.tsxapps/meteor/client/views/room/body/JumpToRecentMessageButton.tsxapps/meteor/client/views/room/modals/ReactionListModal/Reactions.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalConfirmation.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerModal.tsxapps/meteor/client/views/room/composer/ComposerAnonymous.tsxapps/meteor/client/views/room/composer/ComposerContainer.tsxapps/meteor/client/views/root/MainLayout/EmbeddedPreload.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListItem.tsxapps/meteor/client/views/room/composer/messageBox/MessageBox.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelJoin.tsxapps/meteor/client/views/root/MainLayout/LayoutWithSidebar.tsxapps/meteor/client/views/room/composer/ComposerArchived.tsxapps/meteor/client/views/room/contextualBar/MentionsTab.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddMatrixUsers/AddMatrixUsersModal.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslate.tsxapps/meteor/client/views/room/RoomNotFound.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfConfigModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersActions.tsxapps/meteor/client/views/room/body/RoomForeword/RoomForeword.tsxapps/meteor/client/views/room/layout/RoomLayout.tsxapps/meteor/client/views/room/composer/ComposerMessage.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReply.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferences.tsxapps/meteor/client/views/room/body/RoomBody.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersEdit.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/VideoConfPopupRoomInfo.tsxapps/meteor/client/views/room/modals/E2EEModals/ResetKeysE2EEModal.tsxapps/meteor/client/views/room/composer/ComposerUserActionIndicator/ComposerUserActionIndicator.tsxapps/meteor/client/views/room/body/UnreadMessagesIndicator.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMessage.tsxapps/meteor/client/views/room/contextualBar/Discussions/components/DiscussionsListItem.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelInquiry.tsxapps/meteor/client/views/room/providers/RoomProvider.tsxapps/meteor/client/views/room/NotSubscribedRoom.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTableRow.tsxapps/meteor/client/views/room/providers/ChatProvider.tsxapps/meteor/client/views/root/MainLayout/Preload.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/FilePickerBreadcrumbs.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptsModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalChannels.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopups.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsersItem.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddUsers.tsxapps/meteor/client/views/room/composer/ComposerJoinWithPassword.tsxapps/meteor/client/views/root/AppRoot.tsxapps/meteor/client/views/room/Header/HeaderIconWithRoom.tsxapps/meteor/client/views/room/webdav/SaveToWebdavModal.tsxapps/meteor/client/views/room/ShareLocation/ShareLocationModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWithData.tsxapps/meteor/client/views/room/modals/E2EEModals/DisableE2EEModal.tsxapps/meteor/client/views/room/modals/PinMessageModal/PinMessageModal.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessages.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeOwnerAction.tsxapps/meteor/client/views/room/contextualBar/PinnedMessagesTab.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMetrics.tsxapps/meteor/client/views/room/E2EESetup/RoomE2EENotAllowed.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfList.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/IncomingPopup.tsxapps/meteor/client/views/room/composer/ComposerReadOnly.tsxapps/meteor/client/views/room/Header/Header.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/BannedUsersUnbanModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersLoading.tsxapps/meteor/client/views/room/composer/ComposerBoxPopup.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelOnHold.tsxapps/meteor/client/views/room/RoomOpenerEmbedded.tsxapps/meteor/client/views/room/composer/ComposerSelectMessages.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferencesWithData.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/StartCallPopup.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamWithData.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/EditInviteLink.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTable.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeModeratorAction.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsers.tsxapps/meteor/client/views/teams/contextualBar/info/DeleteTeam/DeleteTeamModalWithRooms.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxHint.tsxapps/meteor/client/views/room/modals/E2EEModals/BaseDisableE2EEModal.tsxapps/meteor/client/views/room/body/UploadProgress/UploadProgressIndicator.tsxapps/meteor/client/views/room/webdav/AddWebdavAccountModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/TimedVideoConfPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/OutgoingPopup.tsxapps/meteor/client/views/room/modals/ForwardMessageModal/ForwardMessageModal.tsxapps/meteor/client/views/room/UserCard/UserCardWithData.tsxapps/meteor/client/views/room/modals/ReportMessageModal/ReportMessageModal.tsxapps/meteor/client/views/room/composer/ComposerAirGappedRestricted.tsx
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.
Applied to files:
apps/meteor/client/views/room/contextualBar/Threads/components/ThreadSkeleton.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationInvalidVersion.tsxapps/meteor/client/views/room/RoomSkeleton.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionUserTag.tsxapps/meteor/client/views/room/contextualBar/uikit/UiKitContextualBar.tsxapps/meteor/client/views/room/body/LoadingMessagesIndicator.tsxapps/meteor/client/views/room/composer/ComposerBlocked.tsxapps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/modals/E2EEModals/EnableE2EEModal.tsxapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGridItem.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerGrid/WebdavFilePickerGrid.tsxapps/meteor/client/views/room/Header/Omnichannel/BackButton.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationByDevice.tsxapps/meteor/client/views/room/modals/FileUploadModal/PreviewSkeleton.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptRow.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteLink.tsxapps/meteor/client/views/root/MainLayout/MainLayout.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersRow.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationToggle.tsxapps/meteor/client/views/room/Header/FederatedRoomOriginServer.tsxapps/meteor/client/views/root/MainLayout/AuthenticationCheck.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersItem.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/components/NotificationPreference.tsxapps/meteor/client/views/room/body/RetentionPolicyWarning.tsxapps/meteor/client/views/root/MainLayout/TwoFactorAuthSetupCheck.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationJoinRoomDisabled.tsxapps/meteor/client/views/root/AppErrorPage.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerTable.tsxapps/meteor/client/views/room/body/DropTargetOverlay.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesDateTimeRow.tsxapps/meteor/client/views/room/MessageList/providers/MessageHighlightProvider.tsxapps/meteor/client/views/room/modals/ReactionListModal/ReactionListModal.tsxapps/meteor/client/views/room/modals/FileUploadModal/MediaPreview.tsxapps/meteor/client/views/root/MainLayout/UsernameCheck.tsxapps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsxapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfBlockModal.tsxapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/modals/FileUploadModal/ImagePreview.tsxapps/meteor/client/views/root/MainLayout/PasswordChangeCheck.tsxapps/meteor/client/views/room/modals/FileUploadModal/FilePreview.tsxapps/meteor/client/views/room/MessageList/MessageListErrorBoundary.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembers.tsxapps/meteor/client/views/room/modals/FileUploadModal/GenericPreview.tsxapps/meteor/client/views/room/RoomOpener.tsxapps/meteor/client/views/room/contextualBar/MessageListTab.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWrapper.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslateWithData.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoActions.tsxapps/meteor/client/views/root/MainLayout/LoginPage.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfListItem.tsxapps/meteor/client/views/room/Room.tsxapps/meteor/client/views/teams/contextualBar/info/TeamsInfo.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReplies.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederation.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsers.tsxapps/meteor/client/views/room/composer/ComposerFederation/ComposerFederationDisabled.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersError.tsxapps/meteor/client/views/room/body/JumpToRecentMessageButton.tsxapps/meteor/client/views/room/modals/ReactionListModal/Reactions.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalConfirmation.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/WebdavFilePickerModal.tsxapps/meteor/client/views/room/composer/ComposerAnonymous.tsxapps/meteor/client/views/room/composer/ComposerContainer.tsxapps/meteor/client/views/root/MainLayout/EmbeddedPreload.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListItem.tsxapps/meteor/client/views/room/composer/messageBox/MessageBox.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelJoin.tsxapps/meteor/client/views/root/MainLayout/LayoutWithSidebar.tsxapps/meteor/client/views/room/composer/ComposerArchived.tsxapps/meteor/client/views/room/contextualBar/MentionsTab.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddMatrixUsers/AddMatrixUsersModal.tsxapps/meteor/client/views/room/contextualBar/AutoTranslate/AutoTranslate.tsxapps/meteor/client/views/room/RoomNotFound.tsxapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.tsapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfConfigModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersActions.tsxapps/meteor/client/views/room/body/RoomForeword/RoomForeword.tsxapps/meteor/client/views/room/layout/RoomLayout.tsxapps/meteor/client/views/room/composer/ComposerMessage.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxReply.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferences.tsxapps/meteor/client/views/room/body/RoomBody.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersEdit.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/VideoConfPopupRoomInfo.tsxapps/meteor/client/views/room/modals/E2EEModals/ResetKeysE2EEModal.tsxapps/meteor/client/views/room/composer/ComposerUserActionIndicator/ComposerUserActionIndicator.tsxapps/meteor/client/views/room/body/UnreadMessagesIndicator.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMessage.tsxapps/meteor/client/views/room/contextualBar/Discussions/components/DiscussionsListItem.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelInquiry.tsxapps/meteor/client/views/room/providers/RoomProvider.tsxapps/meteor/client/views/room/NotSubscribedRoom.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTableRow.tsxapps/meteor/client/views/room/providers/ChatProvider.tsxapps/meteor/client/views/root/MainLayout/Preload.tsxapps/meteor/client/views/room/webdav/WebdavFilePickerModal/FilePickerBreadcrumbs.tsxapps/meteor/client/views/room/modals/ReadReceiptsModal/ReadReceiptsModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModalChannels.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopups.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsersItem.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/AddUsers.tsxapps/meteor/client/views/room/composer/ComposerJoinWithPassword.tsxapps/meteor/client/views/root/AppRoot.tsxapps/meteor/client/views/room/Header/HeaderIconWithRoom.tsxapps/meteor/client/views/room/webdav/SaveToWebdavModal.tsxapps/meteor/client/views/room/ShareLocation/ShareLocationModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersWithData.tsxapps/meteor/client/views/room/modals/E2EEModals/DisableE2EEModal.tsxapps/meteor/client/views/room/modals/PinMessageModal/PinMessageModal.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessages.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeOwnerAction.tsxapps/meteor/client/views/room/contextualBar/PinnedMessagesTab.tsxapps/meteor/client/views/room/contextualBar/Threads/components/ThreadListMetrics.tsxapps/meteor/client/views/room/E2EESetup/RoomE2EENotAllowed.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfList/VideoConfList.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/IncomingPopup.tsxapps/meteor/client/views/room/composer/ComposerReadOnly.tsxapps/meteor/client/views/room/Header/Header.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/AddUsers/BannedUsersUnbanModal.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/InviteUsersLoading.tsxapps/meteor/client/views/room/composer/ComposerBoxPopup.tsxapps/meteor/client/views/room/composer/ComposerOmnichannel/ComposerOmnichannelOnHold.tsxapps/meteor/client/views/room/RoomOpenerEmbedded.tsxapps/meteor/client/views/room/composer/ComposerSelectMessages.tsxapps/meteor/client/views/room/contextualBar/NotificationPreferences/NotificationPreferencesWithData.tsxapps/meteor/client/views/room/contextualBar/PruneMessages/PruneMessagesWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/StartCallPopup.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamWithData.tsxapps/meteor/client/views/room/contextualBar/RoomMembers/InviteUsers/EditInviteLink.tsxapps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTable.tsxapps/meteor/client/views/room/hooks/useUserInfoActions/actions/useChangeModeratorAction.tsxapps/meteor/client/views/room/contextualBar/BannedUsers/BannedUsers.tsxapps/meteor/client/views/teams/contextualBar/info/DeleteTeam/DeleteTeamModalWithRooms.tsxapps/meteor/client/views/room/composer/messageBox/MessageBoxHint.tsxapps/meteor/client/views/room/modals/E2EEModals/BaseDisableE2EEModal.tsxapps/meteor/client/views/room/body/UploadProgress/UploadProgressIndicator.tsxapps/meteor/client/views/room/webdav/AddWebdavAccountModal.tsxapps/meteor/client/views/teams/contextualBar/info/LeaveTeam/LeaveTeamModal/LeaveTeamModal.tsxapps/meteor/client/views/room/contextualBar/UserInfo/UserInfoWithData.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/TimedVideoConfPopup.tsxapps/meteor/client/views/room/contextualBar/VideoConference/VideoConfPopups/VideoConfPopup/OutgoingPopup.tsxapps/meteor/client/views/room/modals/ForwardMessageModal/ForwardMessageModal.tsxapps/meteor/client/views/room/UserCard/UserCardWithData.tsxapps/meteor/client/views/room/modals/ReportMessageModal/ReportMessageModal.tsxapps/meteor/client/views/room/composer/ComposerAirGappedRestricted.tsx
📚 Learning: 2026-02-10T16:32:42.586Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.
Applied to files:
apps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.ts
📚 Learning: 2026-05-11T20:30:35.265Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:35.265Z
Learning: In Rocket.Chat’s Meteor client code, when calling `dispatchToastMessage` with `{ type: 'error' }`, pass the raw caught error object as `message` without manual normalization. `dispatchToastMessage` is designed to accept `message: unknown` for error toasts, so avoid converting errors to strings (e.g., `String(error)`) or extracting `error.message` before passing them.
Applied to files:
apps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.
Applied to files:
apps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.
Applied to files:
apps/meteor/client/views/room/Header/Omnichannel/QuickActions/hooks/useDropdownVisibility.tsapps/meteor/client/views/room/providers/hooks/useInstance.tsapps/meteor/client/views/room/composer/messageBox/hooks/useMessageBoxAutoFocus.tsapps/meteor/client/views/room/contextualBar/Threads/hooks/useThreadMainMessageQuery.tsapps/meteor/client/views/room/contexts/ComposerPopupContext.tsapps/meteor/client/views/room/composer/hooks/useComposerBoxPopup.ts
Comment on lines
+60
to
+68
| {results?.map((room, key) => ( | ||
| <ChannelDesertionTableRow | ||
| key={key} | ||
| room={room} | ||
| onChange={onChangeRoomSelection} | ||
| selected={'_id' in room && room._id ? !!selectedRooms[room._id] : false} | ||
| lastOwnerWarning={lastOwnerWarning} | ||
| /> | ||
| ))} |
Contributor
There was a problem hiding this comment.
Use a stable row key instead of array index.
Lines 60-68 use key={key} on a sorted list, which can cause row state mismatches after reordering. Prefer room._id as key.
Suggested fix
- {results?.map((room, key) => (
+ {results?.map((room) => (
<ChannelDesertionTableRow
- key={key}
+ key={room._id}
room={room}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| {results?.map((room, key) => ( | |
| <ChannelDesertionTableRow | |
| key={key} | |
| room={room} | |
| onChange={onChangeRoomSelection} | |
| selected={'_id' in room && room._id ? !!selectedRooms[room._id] : false} | |
| lastOwnerWarning={lastOwnerWarning} | |
| /> | |
| ))} | |
| {results?.map((room) => ( | |
| <ChannelDesertionTableRow | |
| key={room._id} | |
| room={room} | |
| onChange={onChangeRoomSelection} | |
| selected={'_id' in room && room._id ? !!selectedRooms[room._id] : false} | |
| lastOwnerWarning={lastOwnerWarning} | |
| /> | |
| ))} |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@apps/meteor/client/views/teams/ChannelDesertionTable/ChannelDesertionTable.tsx`
around lines 60 - 68, The list rendering uses the array index as React key which
can cause state mismatches; update the ChannelDesertionTable render so
ChannelDesertionTableRow uses a stable unique key (use room._id) instead of
key={key}; locate the map over results and change key to something like
key={('_id' in room && room._id) ? room._id : `room-${indexOrFallback}`}
ensuring you reference the results variable, each room object, and
ChannelDesertionTableRow and keep the existing selectedRooms logic intact.
![hacktron-app[bot]](https://avatars.githubusercontent.com/in/1250513?s=60&v=4){kind=small}
| }; | ||
|
|
||
| function DropTargetOverlay({ enabled, reason, onFileDrop, visible = true, onDismiss }: DropTargetOverlayProps): ReactElement | null { | ||
| function DropTargetOverlay({ enabled, reason, onFileDrop, visible = true, onDismiss }: DropTargetOverlayProps) { |
There was a problem hiding this comment.
In DropTargetOverlay.tsx, when a user performs a drag-and-drop operation, the application checks if the dragged data contains both text/uri-list and text/html. If it does, it parses the HTML data using document.createRange().createContextualFragment(...), queries all <img> elements, and performs a client-side fetch request to the src attribute of each image. The fetched data is then converted into a File object and automatically added to the list of files to be uploaded to the current chat room.
An attacker can exploit this to exfiltrate sensitive data from the Rocket.Chat server (same-origin endpoints requiring the user's active session/cookies) or from any accessible local/intranet services (e.g., local development servers, router admin pages, cloud metadata endpoints).
By hosting a malicious website or sending a crafted message/email that prompts the user to drag an element from the attacker's controlled page into the Rocket.Chat client, the attacker can force the client to:
- Fetch sensitive same-origin endpoints (such as API responses containing private keys, list of users, settings, or private messages) using the user's authenticated session.
- Fetch sensitive local/intranet resources.
- Automatically upload the retrieved data as a file attachment directly into the chat room where the drop occurred. If the attacker is a participant in that room (e.g., a public channel or a shared private room/DM), they can immediately download the uploaded file and access the exfiltrated sensitive data.
Steps to Reproduce
- The attacker hosts a web page with the following draggable element:
<div draggable="true" id="drag-me">Drag me to Rocket.Chat to share!</div>
<script>
document.getElementById('drag-me').addEventListener('dragstart', (event) => {
event.dataTransfer.setData('text/uri-list', 'http://localhost:3000/api/v1/me');
event.dataTransfer.setData('text/html', '<img src="http://localhost:3000/api/v1/me">');
});
</script>- The victim, logged into Rocket.Chat, drags this element and drops it into a chat room where the attacker is present.
- The Rocket.Chat client parses the HTML, finds the
<img>tag, and executesfetch('http://localhost:3000/api/v1/me')with the victim's session cookies. - The client receives the JSON response containing the victim's personal profile and session details, packages it as a file, and uploads it to the chat room.
- The attacker downloads the uploaded file from the chat room, successfully exfiltrating the victim's sensitive profile data.
Trace
graph TD
subgraph SG0 ["apps/meteor/client/hooks/useFormatDateAndTime.ts"]
useFormatDateAndTime["Returns a date and time formatting function based on user preferences and system settings."]
end
style SG0 fill:#2a2a2a,stroke:#444,color:#aaa
subgraph SG1 ["apps/meteor/client/lib/utils/dateFormat.ts"]
momentFormatToDateFns["momentFormatToDateFns"]
flushLiteral["flushLiteral"]
safeFormat["Safely formats a date using date-fns with fallback."]
formatDate["Formats a date based on a format string."]
end
style SG1 fill:#2a2a2a,stroke:#444,color:#aaa
subgraph SG2 ["apps/meteor/client/views/room/Room.tsx"]
Room["Main component for rendering a chat room, handling E2EE setup, message lists, and contextual bars."]
end
style SG2 fill:#2a2a2a,stroke:#444,color:#aaa
subgraph SG3 ["apps/meteor/client/views/room/body/DropTargetOverlay.tsx"]
DropTargetOverlay{{"Overlay component that handles file drag-and-drop events, including processing dropped files and image URLs."}}
end
style SG3 fill:#2a2a2a,stroke:#444,color:#aaa
subgraph SG4 ["apps/meteor/client/views/room/body/RoomBody.tsx"]
RoomBody["Main container component for the chat room, managing message lists, composer, UI state, and room-specific features."]
end
style SG4 fill:#2a2a2a,stroke:#444,color:#aaa
DropTargetOverlay --> useFormatDateAndTime
useFormatDateAndTime --> formatDate
formatDate --> safeFormat
safeFormat --> momentFormatToDateFns
momentFormatToDateFns --> flushLiteral
RoomBody --> DropTargetOverlay
Room --> RoomBody
Fix with AI
A security vulnerability was found by Hacktron.
File: apps/meteor/client/views/room/body/DropTargetOverlay.tsx
Lines: 18
Severity: high
Vulnerability: Client-Side SSRF and Same-Origin/Intranet Data Exfiltration via Drag-and-Drop in DropTargetOverlay
Description:
In `DropTargetOverlay.tsx`, when a user performs a drag-and-drop operation, the application checks if the dragged data contains both `text/uri-list` and `text/html`. If it does, it parses the HTML data using `document.createRange().createContextualFragment(...)`, queries all `<img>` elements, and performs a client-side `fetch` request to the `src` attribute of each image. The fetched data is then converted into a `File` object and automatically added to the list of files to be uploaded to the current chat room.
An attacker can exploit this to exfiltrate sensitive data from the Rocket.Chat server (same-origin endpoints requiring the user's active session/cookies) or from any accessible local/intranet services (e.g., local development servers, router admin pages, cloud metadata endpoints).
By hosting a malicious website or sending a crafted message/email that prompts the user to drag an element from the attacker's controlled page into the Rocket.Chat client, the attacker can force the client to:
1. Fetch sensitive same-origin endpoints (such as API responses containing private keys, list of users, settings, or private messages) using the user's authenticated session.
2. Fetch sensitive local/intranet resources.
3. Automatically upload the retrieved data as a file attachment directly into the chat room where the drop occurred. If the attacker is a participant in that room (e.g., a public channel or a shared private room/DM), they can immediately download the uploaded file and access the exfiltrated sensitive data.
Proof of Concept:
1. The attacker hosts a web page with the following draggable element:
```html
<div draggable="true" id="drag-me">Drag me to Rocket.Chat to share!</div>
<script>
document.getElementById('drag-me').addEventListener('dragstart', (event) => {
event.dataTransfer.setData('text/uri-list', 'http://localhost:3000/api/v1/me');
event.dataTransfer.setData('text/html', '<img src="http://localhost:3000/api/v1/me">');
});
</script>
```
2. The victim, logged into Rocket.Chat, drags this element and drops it into a chat room where the attacker is present.
3. The Rocket.Chat client parses the HTML, finds the `<img>` tag, and executes `fetch('http://localhost:3000/api/v1/me')` with the victim's session cookies.
4. The client receives the JSON response containing the victim's personal profile and session details, packages it as a file, and uploads it to the chat room.
5. The attacker downloads the uploaded file from the chat room, successfully exfiltrating the victim's sensitive profile data.
Affected Code:
```typescript
if (event.dataTransfer.types.includes('text/uri-list') && event.dataTransfer.types.includes('text/html')) {
const fragment = document.createRange().createContextualFragment(event.dataTransfer.getData('text/html'));
for await (const { src } of Array.from(fragment.querySelectorAll('img'))) {
try {
const response = await fetch(src);
const data = await response.blob();
const extension = (await import('../../../../app/utils/lib/mimeTypes')).mime.extension(data.type);
const filename = `File - ${formatDateAndTime(new Date())}.${extension}`;
const file = new File([data], filename, { type: data.type });
files.push(file);
} catch (error) {
console.warn(error);
}
}
}
```
Acceptance criteria:
- Acceptance is defined by the **actual reported behavior**, not by tests passing.
- Reproduce the issue, or narrow the exact code path that produces it, *before* changing code. State what you confirmed.
- Fix the underlying cause. Mitigations that paper over the reported behavior do not count as a fix.
- Add a regression test that fails on the unpatched code and passes on the fix. If a regression test is genuinely impractical (e.g. race condition, infra-level issue), say so and explain why.
- Existing tests passing is **not** the bar. Do not declare done on tests-pass theatre.
Only change what is necessary to fix this vulnerability. Do not refactor adjacent code or modify unrelated files.
Triage: Reply !fp <reason> (false positive), !valid (confirmed), or !accepted_risk <reason>. Any other reply is saved as a triage note.
Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes (including videos or screenshots)
As a first step towards upgrading to React 19, it handles types from
@types/reactlooking forward the next major.Issue(s)
Task: ARCH-2170
Steps to test or reproduce
Further comments
No runtime change is expected from it.
Summary by CodeRabbit
ReactElementreturn type annotations from React component declarations across the codebase, allowing TypeScript to infer component return types.ReactNodeinstead ofReactElement) for component props and render callbacks.