Require the 'from' parameter for `/notifications` be an integer (#17283)

Co-authored-by: Erik Johnston <erikj@element.io>
author: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> 2024-06-19 10:05:39 +0100
committer: GitHub <noreply@github.com> 2024-06-19 10:05:39 +0100
commit: afaf2d9388f7012d0500932dad0af4bdb8d40d20 (patch)
tree: 621d39333de8ad990945a1fe5cd40a635bafa03a /synapse
parent: Revert "Support MSC3916 by adding a federation `/download` endpoint" (#17325) (diff)
download: synapse-afaf2d9388f7012d0500932dad0af4bdb8d40d20.tar.xz
2 files changed, 18 insertions, 2 deletions
diff --git a/synapse/rest/client/notifications.py b/synapse/rest/client/notifications.py
index be9b584748..168ce50d3f 100644
--- a/synapse/rest/client/notifications.py
+++ b/synapse/rest/client/notifications.py
@@ -32,6 +32,7 @@ from synapse.http.servlet import RestServlet, parse_integer, parse_string
 from synapse.http.site import SynapseRequest
 from synapse.types import JsonDict
 
+from ...api.errors import SynapseError
 from ._base import client_patterns
 
 if TYPE_CHECKING:
@@ -56,7 +57,22 @@ class NotificationsServlet(RestServlet):
         requester = await self.auth.get_user_by_req(request)
         user_id = requester.user.to_string()
 
-        from_token = parse_string(request, "from", required=False)
+        # While this is intended to be "string" to clients, the 'from' token
+        # is actually based on a numeric ID. So it must parse to an int.
+        from_token_str = parse_string(request, "from", required=False)
+        if from_token_str is not None:
+            # Parse to an integer.
+            try:
+                from_token = int(from_token_str)
+            except ValueError:
+                # If it doesn't parse to an integer, then this cannot possibly be a valid
+                # pagination token, as we only hand out integers.
+                raise SynapseError(
+                    400, 'Query parameter "from" contains unrecognised token'
+                )
+        else:
+            from_token = None
+
         limit = parse_integer(request, "limit", default=50)
         only = parse_string(request, "only", required=False)
 
diff --git a/synapse/storage/databases/main/event_push_actions.py b/synapse/storage/databases/main/event_push_actions.py
index bdd0781c48..0ebf5b53d5 100644
--- a/synapse/storage/databases/main/event_push_actions.py
+++ b/synapse/storage/databases/main/event_push_actions.py
@@ -1829,7 +1829,7 @@ class EventPushActionsWorkerStore(ReceiptsWorkerStore, StreamWorkerStore, SQLBas
     async def get_push_actions_for_user(
         self,
         user_id: str,
-        before: Optional[str] = None,
+        before: Optional[int] = None,
         limit: int = 50,
         only_highlight: bool = False,
     ) -> List[UserPushAction]:
author	Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2024-06-19 10:05:39 +0100
committer	GitHub <noreply@github.com>	2024-06-19 10:05:39 +0100
commit	afaf2d9388f7012d0500932dad0af4bdb8d40d20 (patch)
tree	621d39333de8ad990945a1fe5cd40a635bafa03a /synapse
parent	Revert "Support MSC3916 by adding a federation `/download` endpoint" (#17325) (diff)
download	synapse-afaf2d9388f7012d0500932dad0af4bdb8d40d20.tar.xz