Cleans RemoteId when sanitizing post input from the API (mattermost#2…

…7049)

* Cleans RemoteId when sanitizing post input from the API

* Fix require check

---------

Co-authored-by: Mattermost Build <[email protected]>

server/channels/api4/post.go

@@ -55,8 +55,7 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Strip away delete_at if passed
-	post.DeleteAt = 0
+	post.SanitizeInput()
 
 	post.UserId = c.AppContext.Session().UserId
 

server/channels/api4/post_test.go

@@ -230,6 +230,24 @@ func TestCreatePost(t *testing.T) {
 	rpost, _, err = th.SystemAdminClient.CreatePost(context.Background(), post)
 	require.NoError(t, err)
 	require.Equal(t, post.CreateAt, rpost.CreateAt, "create at should match")
+
+	t.Run("Should not be able to define the RemoteId of a post from the API", func(t *testing.T) {
+		newPost := &model.Post{
+			RemoteId:  model.NewString(model.NewId()),
+			ChannelId: th.BasicChannel.Id,
+			Message:   "post content " + model.NewId(),
+			DeleteAt:  0,
+		}
+
+		respPost, resp, err := th.SystemAdminClient.CreatePost(context.Background(), newPost)
+		require.NoError(t, err)
+		CheckCreatedStatus(t, resp)
+		require.Zero(t, *respPost.RemoteId)
+
+		createdPost, appErr := th.App.GetSinglePost(respPost.Id, false)
+		require.Nil(t, appErr)
+		require.Zero(t, *createdPost.RemoteId)
+	})
 }
 
 func TestCreatePostForPriority(t *testing.T) {

server/public/model/post.go

@@ -488,6 +488,12 @@ func (o *Post) SanitizeProps() {
 	}
 }
 
+// Remove any input data from the post object that is not user controlled
+func (o *Post) SanitizeInput() {
+	o.DeleteAt = 0
+	o.RemoteId = NewString("")
+}
+
 func (o *Post) ContainsIntegrationsReservedProps() []string {
 	return containsIntegrationsReservedProps(o.GetProps())
 }