Reject receipt requests with invalid room or event IDs. (#14632)

If the room or event IDs are empty or of an invalid form they should be rejected.
2025-05-12 16:02:10 -04:00 · 2022-12-07 17:35:41 +00:00 · 2022-12-07 17:35:41 +00:00 · 60c3fea327
commit 60c3fea327
parent 2506dd7641
3 changed files with 81 additions and 1 deletions
--- a/synapse/rest/client/receipts.py
+++ b/synapse/rest/client/receipts.py
@ -20,7 +20,7 @@ from synapse.api.errors import Codes, SynapseError
 from synapse.http.server import HttpServer
 from synapse.http.servlet import RestServlet, parse_json_object_from_request
 from synapse.http.site import SynapseRequest
-from synapse.types import JsonDict
+from synapse.types import EventID, JsonDict, RoomID

 from ._base import client_patterns

@ -56,6 +56,9 @@ class ReceiptRestServlet(RestServlet):
    ) -> Tuple[int, JsonDict]:
        requester = await self.auth.get_user_by_req(request)

+        if not RoomID.is_valid(room_id) or not event_id.startswith(EventID.SIGIL):
+            raise SynapseError(400, "A valid room ID and event ID must be specified")
+
        if receipt_type not in self._known_receipt_types:
            raise SynapseError(
                400,