summary refs log tree commit diff
diff options
context:
space:
mode:
authorsanthoshivan23 <47689668+santhoshivan23@users.noreply.github.com>2022-06-22 20:02:18 +0530
committerGitHub <noreply@github.com>2022-06-22 15:32:18 +0100
commitd54909956ef616d976b3d9969be994df5b65030a (patch)
tree48a096aa0c97feebc159b1f50e9c8bafb965eeb0
parentUse caret (semver bounds) for matrix.org packages (#13082) (diff)
downloadsynapse-d54909956ef616d976b3d9969be994df5b65030a.tar.xz
validate room alias before interacting with the room directory (#13106)
-rw-r--r--changelog.d/13106.bugfix1
-rw-r--r--synapse/rest/client/directory.py6
-rw-r--r--tests/rest/client/test_directory.py13
3 files changed, 20 insertions, 0 deletions
diff --git a/changelog.d/13106.bugfix b/changelog.d/13106.bugfix
new file mode 100644
index 0000000000..0dc16bad08
--- /dev/null
+++ b/changelog.d/13106.bugfix
@@ -0,0 +1 @@
+Fix a long-standing bug where room directory requests would cause an internal server error if given a malformed room alias.
\ No newline at end of file
diff --git a/synapse/rest/client/directory.py b/synapse/rest/client/directory.py
index 9639d4fe2c..d6c89cb162 100644
--- a/synapse/rest/client/directory.py
+++ b/synapse/rest/client/directory.py
@@ -46,6 +46,8 @@ class ClientDirectoryServer(RestServlet):
         self.auth = hs.get_auth()
 
     async def on_GET(self, request: Request, room_alias: str) -> Tuple[int, JsonDict]:
+        if not RoomAlias.is_valid(room_alias):
+            raise SynapseError(400, "Room alias invalid", errcode=Codes.INVALID_PARAM)
         room_alias_obj = RoomAlias.from_string(room_alias)
 
         res = await self.directory_handler.get_association(room_alias_obj)
@@ -55,6 +57,8 @@ class ClientDirectoryServer(RestServlet):
     async def on_PUT(
         self, request: SynapseRequest, room_alias: str
     ) -> Tuple[int, JsonDict]:
+        if not RoomAlias.is_valid(room_alias):
+            raise SynapseError(400, "Room alias invalid", errcode=Codes.INVALID_PARAM)
         room_alias_obj = RoomAlias.from_string(room_alias)
 
         content = parse_json_object_from_request(request)
@@ -89,6 +93,8 @@ class ClientDirectoryServer(RestServlet):
     async def on_DELETE(
         self, request: SynapseRequest, room_alias: str
     ) -> Tuple[int, JsonDict]:
+        if not RoomAlias.is_valid(room_alias):
+            raise SynapseError(400, "Room alias invalid", errcode=Codes.INVALID_PARAM)
         room_alias_obj = RoomAlias.from_string(room_alias)
         requester = await self.auth.get_user_by_req(request)
 
diff --git a/tests/rest/client/test_directory.py b/tests/rest/client/test_directory.py
index 67473a68d7..16e7ef41bc 100644
--- a/tests/rest/client/test_directory.py
+++ b/tests/rest/client/test_directory.py
@@ -215,6 +215,19 @@ class DirectoryTestCase(unittest.HomeserverTestCase):
         self.assertEqual(channel.code, expected_code, channel.result)
         return alias
 
+    def test_invalid_alias(self) -> None:
+        alias = "#potato"
+        channel = self.make_request(
+            "GET",
+            f"/_matrix/client/r0/directory/room/{alias}",
+            access_token=self.user_tok,
+        )
+        self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)
+        self.assertIn("error", channel.json_body, channel.json_body)
+        self.assertEqual(
+            channel.json_body["errcode"], "M_INVALID_PARAM", channel.json_body
+        )
+
     def random_alias(self, length: int) -> str:
         return RoomAlias(random_string(length), self.hs.hostname).to_string()