Fix GHSA-v56r-hwv5-mxg6 — Federation denial

Fixes https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 Federation denial of service via malformed events.
author: Erik Johnston <erik@matrix.org> 2025-03-26 16:38:15 +0000
committer: Andrew Morgan <andrew@amorgan.xyz> 2025-03-26 18:44:45 +0000
commit: 2277df2a1eb685f85040ef98fa21d41aa4cdd389 (patch)
tree: d973b5c4f11eaaeaf9c5c1545c210769ed0d13bd /synapse/events/utils.py
parent: 1.127.0 (diff)
download: synapse-2277df2a1eb685f85040ef98fa21d41aa4cdd389.tar.xz
1 files changed, 2 insertions, 3 deletions
diff --git a/synapse/events/utils.py b/synapse/events/utils.py
index 54f94add4d..eb18ba2db7 100644
--- a/synapse/events/utils.py
+++ b/synapse/events/utils.py
@@ -40,6 +40,8 @@ import attr
 from canonicaljson import encode_canonical_json
 
 from synapse.api.constants import (
+    CANONICALJSON_MAX_INT,
+    CANONICALJSON_MIN_INT,
     MAX_PDU_SIZE,
     EventContentFields,
     EventTypes,
@@ -61,9 +63,6 @@ SPLIT_FIELD_REGEX = re.compile(r"\\*\.")
 # Find escaped characters, e.g. those with a \ in front of them.
 ESCAPE_SEQUENCE_PATTERN = re.compile(r"\\(.)")
 
-CANONICALJSON_MAX_INT = (2**53) - 1
-CANONICALJSON_MIN_INT = -CANONICALJSON_MAX_INT
-
 
 # Module API callback that allows adding fields to the unsigned section of
 # events that are sent to clients.
author	Erik Johnston <erik@matrix.org>	2025-03-26 16:38:15 +0000
committer	Andrew Morgan <andrew@amorgan.xyz>	2025-03-26 18:44:45 +0000
commit	2277df2a1eb685f85040ef98fa21d41aa4cdd389 (patch)
tree	d973b5c4f11eaaeaf9c5c1545c210769ed0d13bd /synapse/events/utils.py
parent	1.127.0 (diff)
download	synapse-2277df2a1eb685f85040ef98fa21d41aa4cdd389.tar.xz