Do not return allowed_room_ids from /hierarchy response. (#12175)

This field is only to be used in the Server-Server API, and not the
Client-Server API, but was being leaked when a federation response
was used in the /hierarchy API.
This commit is contained in:
Patrick Cloke 2022-03-08 08:09:11 -05:00 committed by GitHub
parent d8bab6793c
commit ca9234a9eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 2 deletions

1
changelog.d/12175.bugfix Normal file
View File

@ -0,0 +1 @@
Fix a bug where non-standard information was returned from the `/hierarchy` API. Introduced in Synapse v1.41.0.

View File

@ -295,7 +295,7 @@ class RoomSummaryHandler:
# inaccessible to the requesting user. # inaccessible to the requesting user.
if room_entry: if room_entry:
# Add the room (including the stripped m.space.child events). # Add the room (including the stripped m.space.child events).
rooms_result.append(room_entry.as_json()) rooms_result.append(room_entry.as_json(for_client=True))
# If this room is not at the max-depth, check if there are any # If this room is not at the max-depth, check if there are any
# children to process. # children to process.
@ -843,14 +843,25 @@ class _RoomEntry:
# This may not include all children. # This may not include all children.
children_state_events: Sequence[JsonDict] = () children_state_events: Sequence[JsonDict] = ()
def as_json(self) -> JsonDict: def as_json(self, for_client: bool = False) -> JsonDict:
""" """
Returns a JSON dictionary suitable for the room hierarchy endpoint. Returns a JSON dictionary suitable for the room hierarchy endpoint.
It returns the room summary including the stripped m.space.child events It returns the room summary including the stripped m.space.child events
as a sub-key. as a sub-key.
Args:
for_client: If true, any server-server only fields are stripped from
the result.
""" """
result = dict(self.room) result = dict(self.room)
# Before returning to the client, remove the allowed_room_ids key, if it
# exists.
if for_client:
result.pop("allowed_room_ids", False)
result["children_state"] = self.children_state_events result["children_state"] = self.children_state_events
return result return result

View File

@ -172,6 +172,9 @@ class SpaceSummaryTestCase(unittest.HomeserverTestCase):
result_room_ids = [] result_room_ids = []
result_children_ids = [] result_children_ids = []
for result_room in result["rooms"]: for result_room in result["rooms"]:
# Ensure federation results are not leaking over the client-server API.
self.assertNotIn("allowed_room_ids", result_room)
result_room_ids.append(result_room["room_id"]) result_room_ids.append(result_room["room_id"])
result_children_ids.append( result_children_ids.append(
[ [