diff options
| author | santhoshivan23 <47689668+santhoshivan23@users.noreply.github.com> | 2022-06-22 20:02:18 +0530 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-22 15:32:18 +0100 |
| commit | d54909956ef616d976b3d9969be994df5b65030a (patch) | |
| tree | 48a096aa0c97feebc159b1f50e9c8bafb965eeb0 | |
| parent | Use caret (semver bounds) for matrix.org packages (#13082) (diff) | |
| download | synapse-d54909956ef616d976b3d9969be994df5b65030a.tar.xz | |
validate room alias before interacting with the room directory (#13106)
| -rw-r--r-- | changelog.d/13106.bugfix | 1 | ||||
| -rw-r--r-- | synapse/rest/client/directory.py | 6 | ||||
| -rw-r--r-- | tests/rest/client/test_directory.py | 13 |
3 files changed, 20 insertions, 0 deletions
diff --git a/changelog.d/13106.bugfix b/changelog.d/13106.bugfix new file mode 100644 index 0000000000..0dc16bad08 --- /dev/null +++ b/changelog.d/13106.bugfix @@ -0,0 +1 @@ +Fix a long-standing bug where room directory requests would cause an internal server error if given a malformed room alias. \ No newline at end of file diff --git a/synapse/rest/client/directory.py b/synapse/rest/client/directory.py index 9639d4fe2c..d6c89cb162 100644 --- a/synapse/rest/client/directory.py +++ b/synapse/rest/client/directory.py @@ -46,6 +46,8 @@ class ClientDirectoryServer(RestServlet): self.auth = hs.get_auth() async def on_GET(self, request: Request, room_alias: str) -> Tuple[int, JsonDict]: + if not RoomAlias.is_valid(room_alias): + raise SynapseError(400, "Room alias invalid", errcode=Codes.INVALID_PARAM) room_alias_obj = RoomAlias.from_string(room_alias) res = await self.directory_handler.get_association(room_alias_obj) @@ -55,6 +57,8 @@ class ClientDirectoryServer(RestServlet): async def on_PUT( self, request: SynapseRequest, room_alias: str ) -> Tuple[int, JsonDict]: + if not RoomAlias.is_valid(room_alias): + raise SynapseError(400, "Room alias invalid", errcode=Codes.INVALID_PARAM) room_alias_obj = RoomAlias.from_string(room_alias) content = parse_json_object_from_request(request) @@ -89,6 +93,8 @@ class ClientDirectoryServer(RestServlet): async def on_DELETE( self, request: SynapseRequest, room_alias: str ) -> Tuple[int, JsonDict]: + if not RoomAlias.is_valid(room_alias): + raise SynapseError(400, "Room alias invalid", errcode=Codes.INVALID_PARAM) room_alias_obj = RoomAlias.from_string(room_alias) requester = await self.auth.get_user_by_req(request) diff --git a/tests/rest/client/test_directory.py b/tests/rest/client/test_directory.py index 67473a68d7..16e7ef41bc 100644 --- a/tests/rest/client/test_directory.py +++ b/tests/rest/client/test_directory.py @@ -215,6 +215,19 @@ class DirectoryTestCase(unittest.HomeserverTestCase): self.assertEqual(channel.code, expected_code, channel.result) return alias + def test_invalid_alias(self) -> None: + alias = "#potato" + channel = self.make_request( + "GET", + f"/_matrix/client/r0/directory/room/{alias}", + access_token=self.user_tok, + ) + self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result) + self.assertIn("error", channel.json_body, channel.json_body) + self.assertEqual( + channel.json_body["errcode"], "M_INVALID_PARAM", channel.json_body + ) + def random_alias(self, length: int) -> str: return RoomAlias(random_string(length), self.hs.hostname).to_string() |