Ensure that we reject events which use rejected events for auth (#10956)

When we consider whether to accept events, we should not accept those which depend on rejected events for their auth events. This (together with earlier changes such as https://github.com/matrix-org/synapse/pull/10771 and https://github.com/matrix-org/synapse/pull/10896) forms a partial fix to https://github.com/matrix-org/synapse/issues/9595. There still remain code paths where we do not check the `auth_events` at all.
author: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> 2021-10-05 13:23:29 +0100
committer: GitHub <noreply@github.com> 2021-10-05 13:23:29 +0100
commit: 3a5b0cbe7ade000245695ec97c13ab5cb3565dc2 (patch)
tree: 21a58fd5ae2c65e19745a5d3be495418b0e276d9 /synapse
parent: Host `cache_joined_hosts_for_event` to caller (#10986) (diff)
download: synapse-3a5b0cbe7ade000245695ec97c13ab5cb3565dc2.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index 7a1adc2750..ca0293a3dc 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -155,6 +155,12 @@ def check_auth_rules_for_event(
                 "which is in room %s"
                 % (event.event_id, room_id, auth_event.event_id, auth_event.room_id),
             )
+        if auth_event.rejected_reason:
+            raise AuthError(
+                403,
+                "During auth for event %s: found rejected event %s in the state"
+                % (event.event_id, auth_event.event_id),
+            )
 
     # Implementation of https://matrix.org/docs/spec/rooms/v1#authorization-rules
     #
author	Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2021-10-05 13:23:29 +0100
committer	GitHub <noreply@github.com>	2021-10-05 13:23:29 +0100
commit	3a5b0cbe7ade000245695ec97c13ab5cb3565dc2 (patch)
tree	21a58fd5ae2c65e19745a5d3be495418b0e276d9 /synapse
parent	Host `cache_joined_hosts_for_event` to caller (#10986) (diff)
download	synapse-3a5b0cbe7ade000245695ec97c13ab5cb3565dc2.tar.xz