From 2d12148afc187a8e53355a2cd3c0118e0d5f4965 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Mon, 28 Feb 2022 13:36:12 +0000
Subject: [PATCH 1/3] Limit the size of the aggregation_key

There's no reason to let people use long keys.
---
 synapse/handlers/message.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index a9c964cd7533..b8912b028f28 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -1073,6 +1073,9 @@ async def _validate_event_relation(self, event: EventBase) -> None:
             if already_exists:
                 raise SynapseError(400, "Can't send same reaction twice")
 
+            if len(aggregation_key) > 500:
+                raise SynapseError(400, "Aggregation key is too long")
+
         # Don't attempt to start a thread if the parent event is a relation.
         elif relation_type == RelationTypes.THREAD:
             if await self.store.event_includes_relation(relates_to):

From fbd303819eb46a231de318edecc0c5981dbab636 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Mon, 28 Feb 2022 13:43:45 +0000
Subject: [PATCH 2/3] Newsfile

---
 changelog.d/12101.misc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/12101.misc

diff --git a/changelog.d/12101.misc b/changelog.d/12101.misc
new file mode 100644
index 000000000000..d165f73d13e8
--- /dev/null
+++ b/changelog.d/12101.misc
@@ -0,0 +1 @@
+Limit the size of `aggregation_key` on annotations.

From 94f02ac8fba725118855c05ec8251db38de08f06 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Mon, 28 Feb 2022 14:05:36 +0000
Subject: [PATCH 3/3] Move check

---
 synapse/handlers/message.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index b8912b028f28..9c5fa72e1218 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -1067,15 +1067,15 @@ async def _validate_event_relation(self, event: EventBase) -> None:
         if relation_type == RelationTypes.ANNOTATION:
             aggregation_key = relation["key"]
 
+            if len(aggregation_key) > 500:
+                raise SynapseError(400, "Aggregation key is too long")
+
             already_exists = await self.store.has_user_annotated_event(
                 relates_to, event.type, aggregation_key, event.sender
             )
             if already_exists:
                 raise SynapseError(400, "Can't send same reaction twice")
 
-            if len(aggregation_key) > 500:
-                raise SynapseError(400, "Aggregation key is too long")
-
         # Don't attempt to start a thread if the parent event is a relation.
         elif relation_type == RelationTypes.THREAD:
             if await self.store.event_includes_relation(relates_to):