mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Check if group IDs are valid before using them. (#8977)
This commit is contained in:
parent
637282bb50
commit
b7c580e333
1
changelog.d/8977.bugfix
Normal file
1
changelog.d/8977.bugfix
Normal file
@ -0,0 +1 @@
|
||||
Properly return 400 errors on invalid group IDs.
|
@ -29,7 +29,7 @@ def _create_rerouter(func_name):
|
||||
|
||||
async def f(self, group_id, *args, **kwargs):
|
||||
if not GroupID.is_valid(group_id):
|
||||
raise SynapseError(400, "%s was not legal group ID" % (group_id,))
|
||||
raise SynapseError(400, "%s is not a legal group ID" % (group_id,))
|
||||
|
||||
if self.is_mine_id(group_id):
|
||||
return await getattr(self.groups_server_handler, func_name)(
|
||||
|
@ -15,6 +15,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
import logging
|
||||
from functools import wraps
|
||||
|
||||
from synapse.api.errors import SynapseError
|
||||
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
||||
@ -25,6 +26,22 @@ from ._base import client_patterns
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def _validate_group_id(f):
|
||||
"""Wrapper to validate the form of the group ID.
|
||||
|
||||
Can be applied to any on_FOO methods that accepts a group ID as a URL parameter.
|
||||
"""
|
||||
|
||||
@wraps(f)
|
||||
def wrapper(self, request, group_id, *args, **kwargs):
|
||||
if not GroupID.is_valid(group_id):
|
||||
raise SynapseError(400, "%s is not a legal group ID" % (group_id,))
|
||||
|
||||
return f(self, request, group_id, *args, **kwargs)
|
||||
|
||||
return wrapper
|
||||
|
||||
|
||||
class GroupServlet(RestServlet):
|
||||
"""Get the group profile
|
||||
"""
|
||||
@ -37,6 +54,7 @@ class GroupServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -47,6 +65,7 @@ class GroupServlet(RestServlet):
|
||||
|
||||
return 200, group_description
|
||||
|
||||
@_validate_group_id
|
||||
async def on_POST(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -71,6 +90,7 @@ class GroupSummaryServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -102,6 +122,7 @@ class GroupSummaryRoomsCatServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, category_id, room_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -117,6 +138,7 @@ class GroupSummaryRoomsCatServlet(RestServlet):
|
||||
|
||||
return 200, resp
|
||||
|
||||
@_validate_group_id
|
||||
async def on_DELETE(self, request, group_id, category_id, room_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -142,6 +164,7 @@ class GroupCategoryServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id, category_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -152,6 +175,7 @@ class GroupCategoryServlet(RestServlet):
|
||||
|
||||
return 200, category
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, category_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -163,6 +187,7 @@ class GroupCategoryServlet(RestServlet):
|
||||
|
||||
return 200, resp
|
||||
|
||||
@_validate_group_id
|
||||
async def on_DELETE(self, request, group_id, category_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -186,6 +211,7 @@ class GroupCategoriesServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -209,6 +235,7 @@ class GroupRoleServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id, role_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -219,6 +246,7 @@ class GroupRoleServlet(RestServlet):
|
||||
|
||||
return 200, category
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, role_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -230,6 +258,7 @@ class GroupRoleServlet(RestServlet):
|
||||
|
||||
return 200, resp
|
||||
|
||||
@_validate_group_id
|
||||
async def on_DELETE(self, request, group_id, role_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -253,6 +282,7 @@ class GroupRolesServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -284,6 +314,7 @@ class GroupSummaryUsersRoleServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, role_id, user_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -299,6 +330,7 @@ class GroupSummaryUsersRoleServlet(RestServlet):
|
||||
|
||||
return 200, resp
|
||||
|
||||
@_validate_group_id
|
||||
async def on_DELETE(self, request, group_id, role_id, user_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -322,13 +354,11 @@ class GroupRoomServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
|
||||
if not GroupID.is_valid(group_id):
|
||||
raise SynapseError(400, "%s was not legal group ID" % (group_id,))
|
||||
|
||||
result = await self.groups_handler.get_rooms_in_group(
|
||||
group_id, requester_user_id
|
||||
)
|
||||
@ -348,6 +378,7 @@ class GroupUsersServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -371,6 +402,7 @@ class GroupInvitedUsersServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_GET(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -393,6 +425,7 @@ class GroupSettingJoinPolicyServlet(RestServlet):
|
||||
self.auth = hs.get_auth()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -449,6 +482,7 @@ class GroupAdminRoomsServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, room_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -460,6 +494,7 @@ class GroupAdminRoomsServlet(RestServlet):
|
||||
|
||||
return 200, result
|
||||
|
||||
@_validate_group_id
|
||||
async def on_DELETE(self, request, group_id, room_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -486,6 +521,7 @@ class GroupAdminRoomsConfigServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, room_id, config_key):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -514,6 +550,7 @@ class GroupAdminUsersInviteServlet(RestServlet):
|
||||
self.store = hs.get_datastore()
|
||||
self.is_mine_id = hs.is_mine_id
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, user_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -541,6 +578,7 @@ class GroupAdminUsersKickServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id, user_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -565,6 +603,7 @@ class GroupSelfLeaveServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -589,6 +628,7 @@ class GroupSelfJoinServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -613,6 +653,7 @@ class GroupSelfAcceptInviteServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.groups_handler = hs.get_groups_local_handler()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
@ -637,6 +678,7 @@ class GroupSelfUpdatePublicityServlet(RestServlet):
|
||||
self.clock = hs.get_clock()
|
||||
self.store = hs.get_datastore()
|
||||
|
||||
@_validate_group_id
|
||||
async def on_PUT(self, request, group_id):
|
||||
requester = await self.auth.get_user_by_req(request)
|
||||
requester_user_id = requester.user.to_string()
|
||||
|
Loading…
Reference in New Issue
Block a user