Merge pull request #524 from matrix-org/hs/mention-spam-protection

Add protection for mention spam
2024-10-01 01:36:06 -04:00 · 2024-09-20 13:00:27 +01:00 · 2024-09-20 13:00:27 +01:00 · 5ecdb8d581
commit 5ecdb8d581
parent f66ac77a79 768947529b
3 changed files with 176 additions and 2 deletions
--- a/src/protections/MentionSpam.ts
+++ b/src/protections/MentionSpam.ts
@ -0,0 +1,71 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { Protection } from "./IProtection";
+import { Mjolnir } from "../Mjolnir";
+import { LogLevel, Permalinks, UserID } from "@vector-im/matrix-bot-sdk";
+import { NumberProtectionSetting } from "./ProtectionSettings";
+
+export const DEFAULT_MAX_MENTIONS = 10;
+
+export class MentionSpam extends Protection {
+
+    settings = {
+        maxMentions: new NumberProtectionSetting(DEFAULT_MAX_MENTIONS, 1),
+    };
+
+    constructor() {
+        super();
+    }
+
+    public get name(): string {
+        return 'MentionSpam';
+    }
+    public get description(): string {
+        return "If a user posts many mentions, that message is redacted. No bans are issued.";
+    }
+
+    public checkMentions(body: unknown|undefined, htmlBody: unknown|undefined, mentionArray: unknown|undefined): boolean {
+        const max = this.settings.maxMentions.value;
+        if (Array.isArray(mentionArray) && mentionArray.length > max) {
+            return true;
+        }
+        if (typeof body === "string" && body.split('@').length - 1 > max) {
+            return true;
+        }
+        if (typeof htmlBody === "string" && htmlBody.split('%40').length - 1 > max) {
+            return true;
+        }
+        return false;
+    }
+
+    public async handleEvent(mjolnir: Mjolnir, roomId: string, event: any): Promise<any> {
+        if (event['type'] === 'm.room.message') {
+            let content = event['content'] || {};
+            const explicitMentions = content["m.mentions"]?.user_ids;
+            const hitLimit = this.checkMentions(content.body, content.formatted_body, explicitMentions);
+            if (hitLimit) {
+                await mjolnir.managementRoomOutput.logMessage(LogLevel.WARN, "MentionSpam", `Redacting event from ${event['sender']} for spamming mentions. ${Permalinks.forEvent(roomId, event['event_id'], [new UserID(await mjolnir.client.getUserId()).domain])}`);
+                // Redact the event
+                if (!mjolnir.config.noop) {
+                    await mjolnir.client.redactEvent(roomId, event['event_id'], "Message was detected as spam.");
+                } else {
+                    await mjolnir.managementRoomOutput.logMessage(LogLevel.WARN, "MentionSpam", `Tried to redact ${event['event_id']} in ${roomId} but Mjolnir is running in no-op mode`, roomId);
+                }
+            }
+        }
+    }
+}
--- a/src/protections/ProtectionManager.ts
+++ b/src/protections/ProtectionManager.ts
@ -1,5 +1,5 @@
 /*
-Copyright 2019 - 2022 The Matrix.org Foundation C.I.C.
+Copyright 2019 - 2024 The Matrix.org Foundation C.I.C.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -32,6 +32,7 @@ import { ERROR_KIND_FATAL, ERROR_KIND_PERMISSION } from "../ErrorCache";
 import { RoomUpdateError } from "../models/RoomUpdateError";
 import { LocalAbuseReports } from "./LocalAbuseReports";
 import {NsfwProtection} from "./NsfwProtection";
+import { MentionSpam } from "./MentionSpam";

 const PROTECTIONS: Protection[] = [
    new FirstMessageIsImage(),
@ -43,7 +44,8 @@ const PROTECTIONS: Protection[] = [
    new DetectFederationLag(),
    new JoinWaveShortCircuit(),
    new LocalAbuseReports(),
-    new NsfwProtection()
+    new NsfwProtection(),
+    new MentionSpam()
 ];

 const ENABLED_PROTECTIONS_EVENT_TYPE = "org.matrix.mjolnir.enabled_protections";
--- a/test/integration/mentionSpamProtectionTest.ts
+++ b/test/integration/mentionSpamProtectionTest.ts
@ -0,0 +1,101 @@
+import {newTestUser} from "./clientHelper";
+
+import {MatrixClient} from "@vector-im/matrix-bot-sdk";
+import {getFirstReaction} from "./commands/commandUtils";
+import {strict as assert} from "assert";
+import { DEFAULT_MAX_MENTIONS } from "../../src/protections/MentionSpam";
+
+describe("Test: Mention spam protection", function () {
+    let client: MatrixClient;
+    let room: string;
+    this.beforeEach(async function () {
+        client = await newTestUser(this.config.homeserverUrl, {name: {contains: "mention-spam-protection"}});
+        await client.start();
+        const mjolnirId = await this.mjolnir.client.getUserId();
+        room = await client.createRoom({ invite: [mjolnirId] });
+        await client.joinRoom(room);
+        await client.joinRoom(this.config.managementRoom);
+        await client.setUserPowerLevel(mjolnirId, room, 100);
+    })
+    this.afterEach(async function () {
+        await client.stop();
+    })
+
+    function delay(ms: number) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+
+
+    it("does not redact a normal message", async function() {
+        await client.sendMessage(this.mjolnir.managementRoomId, { msgtype: 'm.text', body: `!mjolnir rooms add ${room}` });
+        await getFirstReaction(client, this.mjolnir.managementRoomId, '✅', async () => {
+                return await client.sendMessage(this.mjolnir.managementRoomId, { msgtype: 'm.text', body: "!mjolnir enable MentionSpam" });
+        });
+        const testMessage = await client.sendText(room, 'Hello world');
+
+        await delay(500);
+
+        const fetchedEvent = await client.getEvent(room, testMessage);
+        assert.equal(Object.keys(fetchedEvent.content).length, 2, "This event should not have been redacted");
+    });
+
+    it("does not redact a message with some mentions", async function() {
+        await client.sendMessage(this.mjolnir.managementRoomId, { msgtype: 'm.text', body: `!mjolnir rooms add ${room}` });
+        await getFirstReaction(client, this.mjolnir.managementRoomId, '✅', async () => {
+                return await client.sendMessage(this.mjolnir.managementRoomId, { msgtype: 'm.text', body: "!mjolnir enable MentionSpam" });
+        });
+        // Also covers HTML mentions
+        const mentionUsers = Array.from({length: DEFAULT_MAX_MENTIONS}, (_, i) => `@user${i}:example.org`);
+        const messageWithTextMentions = await client.sendText(room, mentionUsers.join(' '));
+        const messageWithHTMLMentions = await client.sendHtmlText(room, 
+            mentionUsers.map(u => `<a href=\"https://matrix.to/#/${encodeURIComponent(u)}\">${u}</a>`).join(' '));
+        const messageWithMMentions = await client.sendMessage(room, {
+            msgtype: 'm.text',
+            body: 'Hello world',
+            ['m.mentions']: {
+                user_ids: mentionUsers
+            }
+        });
+
+        await delay(500);
+
+        const fetchedTextEvent = await client.getEvent(room, messageWithTextMentions);
+        assert.equal(Object.keys(fetchedTextEvent.content).length, 2, "This event should not have been redacted");
+
+        const fetchedHTMLEvent = await client.getEvent(room, messageWithHTMLMentions);
+        assert.equal(Object.keys(fetchedHTMLEvent.content).length, 4, "This event should not have been redacted");
+
+        const fetchedMentionsEvent = await client.getEvent(room, messageWithMMentions);
+        assert.equal(Object.keys(fetchedMentionsEvent.content).length, 3, "This event should not have been redacted");
+    });
+
+    it("does redact a message with too many mentions", async function() {
+        await client.sendMessage(this.mjolnir.managementRoomId, { msgtype: 'm.text', body: `!mjolnir rooms add ${room}` });
+        await getFirstReaction(client, this.mjolnir.managementRoomId, '✅', async () => {
+                return await client.sendMessage(this.mjolnir.managementRoomId, { msgtype: 'm.text', body: "!mjolnir enable MentionSpam" });
+        });
+        // Also covers HTML mentions
+        const mentionUsers = Array.from({length: DEFAULT_MAX_MENTIONS+1}, (_, i) => `@user${i}:example.org`);
+        const messageWithTextMentions = await client.sendText(room, mentionUsers.join(' '));
+        const messageWithHTMLMentions = await client.sendHtmlText(room, 
+            mentionUsers.map(u => `<a href=\"https://matrix.to/#/${encodeURIComponent(u)}\">${u}</a>`).join(' '));
+        const messageWithMMentions = await client.sendMessage(room, {
+            msgtype: 'm.text',
+            body: 'Hello world',
+            ['m.mentions']: {
+                user_ids: mentionUsers
+            }
+        });
+
+        await delay(500);
+
+        const fetchedTextEvent = await client.getEvent(room, messageWithTextMentions);
+        assert.equal(Object.keys(fetchedTextEvent.content).length, 0, "This event should have been redacted");
+
+        const fetchedHTMLEvent = await client.getEvent(room, messageWithHTMLMentions);
+        assert.equal(Object.keys(fetchedHTMLEvent.content).length, 0, "This event should have been redacted");
+
+        const fetchedMentionsEvent = await client.getEvent(room, messageWithMMentions);
+        assert.equal(Object.keys(fetchedMentionsEvent.content).length, 0, "This event should have been redacted");
+    });
+});