Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Extra validation for rest/client/account_data (#13148)
Browse files Browse the repository at this point in the history 
* Extra validation for rest/client/account_data

This is a fairly simple endpoint and we did pretty well here.

* Changelog
  • Loading branch information
David Robertson authored Jul 1, 2022
1 parent 6da861a commit d70ff5c
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
1 change: 1 addition & 0 deletions changelog.d/13148.feature
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve validation logic in Synapse's REST endpoints.
19 changes: 17 additions & 2 deletions synapse/rest/client/account_data.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
import logging
from typing import TYPE_CHECKING, Tuple

from synapse.api.errors import AuthError, NotFoundError, SynapseError
from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError
from synapse.http.server import HttpServer
from synapse.http.servlet import RestServlet, parse_json_object_from_request
from synapse.http.site import SynapseRequest
from synapse.types import JsonDict
from synapse.types import JsonDict, RoomID

from ._base import client_patterns

Expand Down Expand Up @@ -104,13 +104,21 @@ async def on_PUT(
if user_id != requester.user.to_string():
raise AuthError(403, "Cannot add account data for other users.")

if not RoomID.is_valid(room_id):
raise SynapseError(
400,
f"{room_id} is not a valid room ID",
Codes.INVALID_PARAM,
)

body = parse_json_object_from_request(request)

if account_data_type == "m.fully_read":
raise SynapseError(
405,
"Cannot set m.fully_read through this API."
" Use /rooms/!roomId:server.name/read_markers",
Codes.BAD_JSON,
)

await self.handler.add_account_data_to_room(
Expand All @@ -130,6 +138,13 @@ async def on_GET(
if user_id != requester.user.to_string():
raise AuthError(403, "Cannot get account data for other users.")

if not RoomID.is_valid(room_id):
raise SynapseError(
400,
f"{room_id} is not a valid room ID",
Codes.INVALID_PARAM,
)

event = await self.store.get_account_data_for_room_and_type(
user_id, room_id, account_data_type
)
Expand Down

0 comments on commit d70ff5c

Please sign in to comment.