diff options
author | David Robertson <davidr@element.io> | 2022-07-01 12:04:56 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-01 11:04:56 +0100 |
commit | d70ff5cc3508f4010ca2d19b090f0338e99c1d28 (patch) | |
tree | a38abfd3e6189384072e0a2c19fd16dfbda15ac6 | |
parent | `_process_received_pdu`: Improve exception handling (#13145) (diff) | |
download | synapse-d70ff5cc3508f4010ca2d19b090f0338e99c1d28.tar.xz |
Extra validation for rest/client/account_data (#13148)
* Extra validation for rest/client/account_data This is a fairly simple endpoint and we did pretty well here. * Changelog
-rw-r--r-- | changelog.d/13148.feature | 1 | ||||
-rw-r--r-- | synapse/rest/client/account_data.py | 19 |
2 files changed, 18 insertions, 2 deletions
diff --git a/changelog.d/13148.feature b/changelog.d/13148.feature new file mode 100644 index 0000000000..d1104b04b0 --- /dev/null +++ b/changelog.d/13148.feature @@ -0,0 +1 @@ +Improve validation logic in Synapse's REST endpoints. diff --git a/synapse/rest/client/account_data.py b/synapse/rest/client/account_data.py index bfe985939b..f13970b898 100644 --- a/synapse/rest/client/account_data.py +++ b/synapse/rest/client/account_data.py @@ -15,11 +15,11 @@ import logging from typing import TYPE_CHECKING, Tuple -from synapse.api.errors import AuthError, NotFoundError, SynapseError +from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError from synapse.http.server import HttpServer from synapse.http.servlet import RestServlet, parse_json_object_from_request from synapse.http.site import SynapseRequest -from synapse.types import JsonDict +from synapse.types import JsonDict, RoomID from ._base import client_patterns @@ -104,6 +104,13 @@ class RoomAccountDataServlet(RestServlet): if user_id != requester.user.to_string(): raise AuthError(403, "Cannot add account data for other users.") + if not RoomID.is_valid(room_id): + raise SynapseError( + 400, + f"{room_id} is not a valid room ID", + Codes.INVALID_PARAM, + ) + body = parse_json_object_from_request(request) if account_data_type == "m.fully_read": @@ -111,6 +118,7 @@ class RoomAccountDataServlet(RestServlet): 405, "Cannot set m.fully_read through this API." " Use /rooms/!roomId:server.name/read_markers", + Codes.BAD_JSON, ) await self.handler.add_account_data_to_room( @@ -130,6 +138,13 @@ class RoomAccountDataServlet(RestServlet): if user_id != requester.user.to_string(): raise AuthError(403, "Cannot get account data for other users.") + if not RoomID.is_valid(room_id): + raise SynapseError( + 400, + f"{room_id} is not a valid room ID", + Codes.INVALID_PARAM, + ) + event = await self.store.get_account_data_for_room_and_type( user_id, room_id, account_data_type ) |