Merge pull request #3316 from matrix-org/rav/enforce_report_api

Enforce the specified API for report_event

2 files changed, 25 insertions, 2 deletions

diff --git a/changelog.d/3316.feature b/changelog.d/3316.feature
new file mode 100644
index 0000000000..50068b7222
--- /dev/null
+++ b/changelog.d/3316.feature
@@ -0,0 +1 @@
+Enforce the specified API for report_event
diff --git a/synapse/rest/client/v2_alpha/report_event.py b/synapse/rest/client/v2_alpha/report_event.py
index 08bb8e04fd..0cc2a71c3b 100644
--- a/synapse/rest/client/v2_alpha/report_event.py
+++ b/synapse/rest/client/v2_alpha/report_event.py
@@ -15,9 +15,17 @@
 
 import logging
 
+from six import string_types
+from six.moves import http_client
+
 from twisted.internet import defer
 
-from synapse.http.servlet import RestServlet, parse_json_object_from_request
+from synapse.api.errors import Codes, SynapseError
+from synapse.http.servlet import (
+    RestServlet,
+    assert_params_in_request,
+    parse_json_object_from_request,
+)
 
 from ._base import client_v2_patterns
 
@@ -42,12 +50,26 @@ class ReportEventRestServlet(RestServlet):
         user_id = requester.user.to_string()
 
         body = parse_json_object_from_request(request)
+        assert_params_in_request(body, ("reason", "score"))
+
+        if not isinstance(body["reason"], string_types):
+            raise SynapseError(
+                http_client.BAD_REQUEST,
+                "Param 'reason' must be a string",
+                Codes.BAD_JSON,
+            )
+        if not isinstance(body["score"], int):
+            raise SynapseError(
+                http_client.BAD_REQUEST,
+                "Param 'score' must be an integer",
+                Codes.BAD_JSON,
+            )
 
         yield self.store.add_event_report(
             room_id=room_id,
             event_id=event_id,
             user_id=user_id,
-            reason=body.get("reason"),
+            reason=body["reason"],
             content=body,
             received_ts=self.clock.time_msec(),
         )