summary refs log tree commit diff
diff options
context:
space:
mode:
authorreivilibre <oliverw@matrix.org>2023-02-14 15:50:59 +0000
committerGitHub <noreply@github.com>2023-02-14 15:50:59 +0000
commite9b1ff9f31f8ff093e7eaf9c54fa8f40a3b66aa8 (patch)
tree5fcff311aee38825d5a4eabf94bbc64f5efde7cf
parentMerge branch 'master' into develop (diff)
downloadsynapse-e9b1ff9f31f8ff093e7eaf9c54fa8f40a3b66aa8.tar.xz
Prevent clients from reporting nonexistent events. (#13779)
-rw-r--r--changelog.d/13779.bugfix1
-rw-r--r--synapse/rest/client/report_event.py11
-rw-r--r--tests/rest/client/test_report_event.py12
3 files changed, 23 insertions, 1 deletions
diff --git a/changelog.d/13779.bugfix b/changelog.d/13779.bugfix
new file mode 100644
index 0000000000..a92c722c6e
--- /dev/null
+++ b/changelog.d/13779.bugfix
@@ -0,0 +1 @@
+Prevent clients from reporting nonexistent events.
\ No newline at end of file
diff --git a/synapse/rest/client/report_event.py b/synapse/rest/client/report_event.py
index e2b410cf32..9be5860221 100644
--- a/synapse/rest/client/report_event.py
+++ b/synapse/rest/client/report_event.py
@@ -16,7 +16,7 @@ import logging
 from http import HTTPStatus
 from typing import TYPE_CHECKING, Tuple
 
-from synapse.api.errors import Codes, SynapseError
+from synapse.api.errors import Codes, NotFoundError, SynapseError
 from synapse.http.server import HttpServer
 from synapse.http.servlet import RestServlet, parse_json_object_from_request
 from synapse.http.site import SynapseRequest
@@ -39,6 +39,7 @@ class ReportEventRestServlet(RestServlet):
         self.auth = hs.get_auth()
         self.clock = hs.get_clock()
         self.store = hs.get_datastores().main
+        self._event_handler = self.hs.get_event_handler()
 
     async def on_POST(
         self, request: SynapseRequest, room_id: str, event_id: str
@@ -61,6 +62,14 @@ class ReportEventRestServlet(RestServlet):
                 Codes.BAD_JSON,
             )
 
+        event = await self._event_handler.get_event(
+            requester.user, room_id, event_id, show_redacted=False
+        )
+        if event is None:
+            raise NotFoundError(
+                "Unable to report event: it does not exist or you aren't able to see it."
+            )
+
         await self.store.add_event_report(
             room_id=room_id,
             event_id=event_id,
diff --git a/tests/rest/client/test_report_event.py b/tests/rest/client/test_report_event.py
index 7cb1017a4a..1250685d39 100644
--- a/tests/rest/client/test_report_event.py
+++ b/tests/rest/client/test_report_event.py
@@ -73,6 +73,18 @@ class ReportEventTestCase(unittest.HomeserverTestCase):
         data = {"reason": None, "score": None}
         self._assert_status(400, data)
 
+    def test_cannot_report_nonexistent_event(self) -> None:
+        """
+        Tests that we don't accept event reports for events which do not exist.
+        """
+        channel = self.make_request(
+            "POST",
+            f"rooms/{self.room_id}/report/$nonsenseeventid:test",
+            {"reason": "i am very sad"},
+            access_token=self.other_user_tok,
+        )
+        self.assertEqual(404, channel.code, msg=channel.result["body"])
+
     def _assert_status(self, response_status: int, data: JsonDict) -> None:
         channel = self.make_request(
             "POST", self.report_path, data, access_token=self.other_user_tok