Check if group IDs are valid before using them. (#8977)

This commit is contained in:
Patrick Cloke 2020-12-30 08:39:59 -05:00 committed by GitHub
parent 637282bb50
commit b7c580e333
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 4 deletions

1
changelog.d/8977.bugfix Normal file
View File

@ -0,0 +1 @@
Properly return 400 errors on invalid group IDs.

View File

@ -29,7 +29,7 @@ def _create_rerouter(func_name):
async def f(self, group_id, *args, **kwargs): async def f(self, group_id, *args, **kwargs):
if not GroupID.is_valid(group_id): if not GroupID.is_valid(group_id):
raise SynapseError(400, "%s was not legal group ID" % (group_id,)) raise SynapseError(400, "%s is not a legal group ID" % (group_id,))
if self.is_mine_id(group_id): if self.is_mine_id(group_id):
return await getattr(self.groups_server_handler, func_name)( return await getattr(self.groups_server_handler, func_name)(

View File

@ -15,6 +15,7 @@
# limitations under the License. # limitations under the License.
import logging import logging
from functools import wraps
from synapse.api.errors import SynapseError from synapse.api.errors import SynapseError
from synapse.http.servlet import RestServlet, parse_json_object_from_request from synapse.http.servlet import RestServlet, parse_json_object_from_request
@ -25,6 +26,22 @@ from ._base import client_patterns
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
def _validate_group_id(f):
"""Wrapper to validate the form of the group ID.
Can be applied to any on_FOO methods that accepts a group ID as a URL parameter.
"""
@wraps(f)
def wrapper(self, request, group_id, *args, **kwargs):
if not GroupID.is_valid(group_id):
raise SynapseError(400, "%s is not a legal group ID" % (group_id,))
return f(self, request, group_id, *args, **kwargs)
return wrapper
class GroupServlet(RestServlet): class GroupServlet(RestServlet):
"""Get the group profile """Get the group profile
""" """
@ -37,6 +54,7 @@ class GroupServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -47,6 +65,7 @@ class GroupServlet(RestServlet):
return 200, group_description return 200, group_description
@_validate_group_id
async def on_POST(self, request, group_id): async def on_POST(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -71,6 +90,7 @@ class GroupSummaryServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -102,6 +122,7 @@ class GroupSummaryRoomsCatServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id, category_id, room_id): async def on_PUT(self, request, group_id, category_id, room_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -117,6 +138,7 @@ class GroupSummaryRoomsCatServlet(RestServlet):
return 200, resp return 200, resp
@_validate_group_id
async def on_DELETE(self, request, group_id, category_id, room_id): async def on_DELETE(self, request, group_id, category_id, room_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -142,6 +164,7 @@ class GroupCategoryServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id, category_id): async def on_GET(self, request, group_id, category_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -152,6 +175,7 @@ class GroupCategoryServlet(RestServlet):
return 200, category return 200, category
@_validate_group_id
async def on_PUT(self, request, group_id, category_id): async def on_PUT(self, request, group_id, category_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -163,6 +187,7 @@ class GroupCategoryServlet(RestServlet):
return 200, resp return 200, resp
@_validate_group_id
async def on_DELETE(self, request, group_id, category_id): async def on_DELETE(self, request, group_id, category_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -186,6 +211,7 @@ class GroupCategoriesServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -209,6 +235,7 @@ class GroupRoleServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id, role_id): async def on_GET(self, request, group_id, role_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -219,6 +246,7 @@ class GroupRoleServlet(RestServlet):
return 200, category return 200, category
@_validate_group_id
async def on_PUT(self, request, group_id, role_id): async def on_PUT(self, request, group_id, role_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -230,6 +258,7 @@ class GroupRoleServlet(RestServlet):
return 200, resp return 200, resp
@_validate_group_id
async def on_DELETE(self, request, group_id, role_id): async def on_DELETE(self, request, group_id, role_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -253,6 +282,7 @@ class GroupRolesServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -284,6 +314,7 @@ class GroupSummaryUsersRoleServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id, role_id, user_id): async def on_PUT(self, request, group_id, role_id, user_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -299,6 +330,7 @@ class GroupSummaryUsersRoleServlet(RestServlet):
return 200, resp return 200, resp
@_validate_group_id
async def on_DELETE(self, request, group_id, role_id, user_id): async def on_DELETE(self, request, group_id, role_id, user_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -322,13 +354,11 @@ class GroupRoomServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
if not GroupID.is_valid(group_id):
raise SynapseError(400, "%s was not legal group ID" % (group_id,))
result = await self.groups_handler.get_rooms_in_group( result = await self.groups_handler.get_rooms_in_group(
group_id, requester_user_id group_id, requester_user_id
) )
@ -348,6 +378,7 @@ class GroupUsersServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request, allow_guest=True) requester = await self.auth.get_user_by_req(request, allow_guest=True)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -371,6 +402,7 @@ class GroupInvitedUsersServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_GET(self, request, group_id): async def on_GET(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -393,6 +425,7 @@ class GroupSettingJoinPolicyServlet(RestServlet):
self.auth = hs.get_auth() self.auth = hs.get_auth()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id): async def on_PUT(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -449,6 +482,7 @@ class GroupAdminRoomsServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id, room_id): async def on_PUT(self, request, group_id, room_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -460,6 +494,7 @@ class GroupAdminRoomsServlet(RestServlet):
return 200, result return 200, result
@_validate_group_id
async def on_DELETE(self, request, group_id, room_id): async def on_DELETE(self, request, group_id, room_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -486,6 +521,7 @@ class GroupAdminRoomsConfigServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id, room_id, config_key): async def on_PUT(self, request, group_id, room_id, config_key):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -514,6 +550,7 @@ class GroupAdminUsersInviteServlet(RestServlet):
self.store = hs.get_datastore() self.store = hs.get_datastore()
self.is_mine_id = hs.is_mine_id self.is_mine_id = hs.is_mine_id
@_validate_group_id
async def on_PUT(self, request, group_id, user_id): async def on_PUT(self, request, group_id, user_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -541,6 +578,7 @@ class GroupAdminUsersKickServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id, user_id): async def on_PUT(self, request, group_id, user_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -565,6 +603,7 @@ class GroupSelfLeaveServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id): async def on_PUT(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -589,6 +628,7 @@ class GroupSelfJoinServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id): async def on_PUT(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -613,6 +653,7 @@ class GroupSelfAcceptInviteServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.groups_handler = hs.get_groups_local_handler() self.groups_handler = hs.get_groups_local_handler()
@_validate_group_id
async def on_PUT(self, request, group_id): async def on_PUT(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()
@ -637,6 +678,7 @@ class GroupSelfUpdatePublicityServlet(RestServlet):
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.store = hs.get_datastore() self.store = hs.get_datastore()
@_validate_group_id
async def on_PUT(self, request, group_id): async def on_PUT(self, request, group_id):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
requester_user_id = requester.user.to_string() requester_user_id = requester.user.to_string()