Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Prevent clients from reporting nonexistent events. #13779

Merged
merged 5 commits into from
Feb 14, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/13779.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Prevent clients from reporting nonexistent events.
11 changes: 10 additions & 1 deletion synapse/rest/client/report_event.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
from http import HTTPStatus
from typing import TYPE_CHECKING, Tuple

from synapse.api.errors import Codes, SynapseError
from synapse.api.errors import Codes, NotFoundError, SynapseError
from synapse.http.server import HttpServer
from synapse.http.servlet import RestServlet, parse_json_object_from_request
from synapse.http.site import SynapseRequest
Expand All @@ -39,6 +39,7 @@ def __init__(self, hs: "HomeServer"):
self.auth = hs.get_auth()
self.clock = hs.get_clock()
self.store = hs.get_datastores().main
self._event_handler = self.hs.get_event_handler()

async def on_POST(
self, request: SynapseRequest, room_id: str, event_id: str
Expand All @@ -61,6 +62,14 @@ async def on_POST(
Codes.BAD_JSON,
)

event = await self._event_handler.get_event(
requester.user, room_id, event_id, show_redacted=False
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could see cases where it's useful to be able to report an event that's been redacted. We keep redacted events in db for a few days (7 by default iirc) before purging them, so someone might want to report them to bring them up to the server's admins/T&S team, or their report might be racing with the redaction, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't care about fetching the redacted content here: this doesn't ignore redacted events, it just returns the redacted version (but since we only do this to check the event exists, it's OK I believe)

)
if event is None:
raise NotFoundError(
"Unable to report event: it does not exist or you aren't able to see it."
)
Comment on lines +69 to +71
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't really part of the spec, but I guess a 404 is reasonable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, best I can think of short of speccing something


await self.store.add_event_report(
room_id=room_id,
event_id=event_id,
Expand Down
12 changes: 12 additions & 0 deletions tests/rest/client/test_report_event.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,18 @@ def test_reason_and_score_null(self) -> None:
data = {"reason": None, "score": None}
self._assert_status(400, data)

def test_cannot_report_nonexistent_event(self) -> None:
"""
Tests that we don't accept event reports for events which do not exist.
"""
channel = self.make_request(
"POST",
f"rooms/{self.room_id}/report/$nonsenseeventid:test",
{"reason": "i am very sad"},
access_token=self.other_user_tok,
)
self.assertEqual(404, channel.code, msg=channel.result["body"])

def _assert_status(self, response_status: int, data: JsonDict) -> None:
channel = self.make_request(
"POST", self.report_path, data, access_token=self.other_user_tok
Expand Down