From d70ff5cc3508f4010ca2d19b090f0338e99c1d28 Mon Sep 17 00:00:00 2001
From: David Robertson <davidr@element.io>
Date: Fri, 1 Jul 2022 12:04:56 +0200
Subject: [PATCH] Extra validation for rest/client/account_data (#13148)

* Extra validation for rest/client/account_data

This is a fairly simple endpoint and we did pretty well here.

* Changelog
---
 changelog.d/13148.feature           |  1 +
 synapse/rest/client/account_data.py | 19 +++++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 changelog.d/13148.feature

diff --git a/changelog.d/13148.feature b/changelog.d/13148.feature
new file mode 100644
index 000000000..d1104b04b
--- /dev/null
+++ b/changelog.d/13148.feature
@@ -0,0 +1 @@
+Improve validation logic in Synapse's REST endpoints.
diff --git a/synapse/rest/client/account_data.py b/synapse/rest/client/account_data.py
index bfe985939..f13970b89 100644
--- a/synapse/rest/client/account_data.py
+++ b/synapse/rest/client/account_data.py
@@ -15,11 +15,11 @@
 import logging
 from typing import TYPE_CHECKING, Tuple
 
-from synapse.api.errors import AuthError, NotFoundError, SynapseError
+from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError
 from synapse.http.server import HttpServer
 from synapse.http.servlet import RestServlet, parse_json_object_from_request
 from synapse.http.site import SynapseRequest
-from synapse.types import JsonDict
+from synapse.types import JsonDict, RoomID
 
 from ._base import client_patterns
 
@@ -104,6 +104,13 @@ class RoomAccountDataServlet(RestServlet):
         if user_id != requester.user.to_string():
             raise AuthError(403, "Cannot add account data for other users.")
 
+        if not RoomID.is_valid(room_id):
+            raise SynapseError(
+                400,
+                f"{room_id} is not a valid room ID",
+                Codes.INVALID_PARAM,
+            )
+
         body = parse_json_object_from_request(request)
 
         if account_data_type == "m.fully_read":
@@ -111,6 +118,7 @@ class RoomAccountDataServlet(RestServlet):
                 405,
                 "Cannot set m.fully_read through this API."
                 " Use /rooms/!roomId:server.name/read_markers",
+                Codes.BAD_JSON,
             )
 
         await self.handler.add_account_data_to_room(
@@ -130,6 +138,13 @@ class RoomAccountDataServlet(RestServlet):
         if user_id != requester.user.to_string():
             raise AuthError(403, "Cannot get account data for other users.")
 
+        if not RoomID.is_valid(room_id):
+            raise SynapseError(
+                400,
+                f"{room_id} is not a valid room ID",
+                Codes.INVALID_PARAM,
+            )
+
         event = await self.store.get_account_data_for_room_and_type(
             user_id, room_id, account_data_type
         )