summary refs log tree commit diff
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2024-11-15 15:53:33 +0000
committerQuentin Gliech <quenting@element.io>2024-12-03 09:53:21 +0100
commitd82e1ed357b7ee21dff83d06cba7a67840cfd464 (patch)
tree6d5a77677713c28c39dec856d189b6ed8f66f6d0
parentSliding Sync: Fix state leaking on incremental sync (diff)
downloadsynapse-d82e1ed357b7ee21dff83d06cba7a67840cfd464.tar.xz
Handle null invite and knock room state
Diffstat (limited to '')
-rw-r--r--synapse/federation/transport/server/federation.py3


-rw-r--r--synapse/handlers/federation.py3


-rw-r--r--synapse/handlers/sliding_sync/__init__.py16


-rw-r--r--synapse/push/push_tools.py8


-rw-r--r--synapse/rest/client/sync.py12


5 files changed, 33 insertions, 9 deletions
diff --git a/synapse/federation/transport/server/federation.py b/synapse/federation/transport/server/federation.py

index a05e5d5319..093ba30d31 100644
--- a/synapse/federation/transport/server/federation.py
+++ b/synapse/federation/transport/server/federation.py
@@ -509,6 +509,9 @@ class FederationV2InviteServlet(BaseFederationServerServlet):
         event = content["event"]
         invite_room_state = content.get("invite_room_state", [])
 
+        if not isinstance(invite_room_state, list):
+            invite_room_state = []
+
         # Synapse expects invite_room_state to be in unsigned, as it is in v1
         # API
 
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py

index 2b7aad5b58..17dd4af13e 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -880,6 +880,9 @@ class FederationHandler:
         if stripped_room_state is None:
             raise KeyError("Missing 'knock_room_state' field in send_knock response")
 
+        if not isinstance(stripped_room_state, list):
+            raise TypeError("'knock_room_state' has wrong type")
+
         event.unsigned["knock_room_state"] = stripped_room_state
 
         context = EventContext.for_outlier(self._storage_controllers)
diff --git a/synapse/handlers/sliding_sync/__init__.py b/synapse/handlers/sliding_sync/__init__.py

index 0893017126..0175da1a13 100644
--- a/synapse/handlers/sliding_sync/__init__.py
+++ b/synapse/handlers/sliding_sync/__init__.py
@@ -815,13 +815,19 @@ class SlidingSyncHandler:
 
             stripped_state = []
             if invite_or_knock_event.membership == Membership.INVITE:
-                stripped_state.extend(
-                    invite_or_knock_event.unsigned.get("invite_room_state", [])
+                invite_state = invite_or_knock_event.unsigned.get(
+                    "invite_room_state", []
                 )
+                if not isinstance(invite_state, list):
+                    invite_state = []
+
+                stripped_state.extend(invite_state)
             elif invite_or_knock_event.membership == Membership.KNOCK:
-                stripped_state.extend(
-                    invite_or_knock_event.unsigned.get("knock_room_state", [])
-                )
+                knock_state = invite_or_knock_event.unsigned.get("knock_room_state", [])
+                if not isinstance(knock_state, list):
+                    knock_state = []
+
+                stripped_state.extend(knock_state)
 
             stripped_state.append(strip_event(invite_or_knock_event))
 
diff --git a/synapse/push/push_tools.py b/synapse/push/push_tools.py

index 1ef881f702..3f3e4a9234 100644
--- a/synapse/push/push_tools.py
+++ b/synapse/push/push_tools.py
@@ -74,9 +74,13 @@ async def get_context_for_event(
 
         room_state = []
         if ev.content.get("membership") == Membership.INVITE:
-            room_state = ev.unsigned.get("invite_room_state", [])
+            invite_room_state = ev.unsigned.get("invite_room_state", [])
+            if isinstance(invite_room_state, list):
+                room_state = invite_room_state
         elif ev.content.get("membership") == Membership.KNOCK:
-            room_state = ev.unsigned.get("knock_room_state", [])
+            knock_room_state = ev.unsigned.get("knock_room_state", [])
+            if isinstance(knock_room_state, list):
+                room_state = knock_room_state
 
         # Ideally we'd reuse the logic in `calculate_room_name`, but that gets
         # complicated to handle partial events vs pulling events from the DB.
diff --git a/synapse/rest/client/sync.py b/synapse/rest/client/sync.py

index 5c62a74f41..f4ef84a038 100644
--- a/synapse/rest/client/sync.py
+++ b/synapse/rest/client/sync.py
@@ -436,7 +436,12 @@ class SyncRestServlet(RestServlet):
             )
             unsigned = dict(invite.get("unsigned", {}))
             invite["unsigned"] = unsigned
-            invited_state = list(unsigned.pop("invite_room_state", []))
+
+            invited_state = unsigned.pop("invite_room_state", [])
+            if not isinstance(invited_state, list):
+                invited_state = []
+
+            invited_state = list(invited_state)
             invited_state.append(invite)
             invited[room.room_id] = {"invite_state": {"events": invited_state}}
 
@@ -476,7 +481,10 @@ class SyncRestServlet(RestServlet):
             # Extract the stripped room state from the unsigned dict
             # This is for clients to get a little bit of information about
             # the room they've knocked on, without revealing any sensitive information
-            knocked_state = list(unsigned.pop("knock_room_state", []))
+            knocked_state = unsigned.pop("knock_room_state", [])
+            if not isinstance(knocked_state, list):
+                knocked_state = []
+            knocked_state = list(knocked_state)
 
             # Append the actual knock membership event itself as well. This provides
             # the client with:

 

generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-08-09 08:12:28 +0000