Verify `?chunk_id` actually corresponds to an insertion event that exists (MSC2716) (#10776)

pull/10829/head
Eric Eastwood 2021-09-15 03:34:30 -05:00 committed by GitHub
parent 1c555527b3
commit 145c006ef7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 51 additions and 1 deletions

View File

@ -0,0 +1 @@
Only allow the [MSC2716](https://github.com/matrix-org/matrix-doc/pull/2716) `/batch_send?chunk_id=xxx` endpoint to connect to an already existing insertion event.

View File

@ -300,7 +300,18 @@ class RoomBatchSendEventRestServlet(RestServlet):
# event, which causes the HS to ask for the state at the start of
# the chunk later.
prev_event_ids = [fake_prev_event_id]
# TODO: Verify the chunk_id_from_query corresponds to an insertion event
# Verify the chunk_id_from_query corresponds to an actual insertion event
# and have the chunk connected.
corresponding_insertion_event_id = (
await self.store.get_insertion_event_by_chunk_id(chunk_id_from_query)
)
if corresponding_insertion_event_id is None:
raise SynapseError(
400,
"No insertion event corresponds to the given ?chunk_id",
errcode=Codes.INVALID_PARAM,
)
pass
# Otherwise, create an insertion event to act as a starting point.
#

View File

@ -61,6 +61,7 @@ from .registration import RegistrationStore
from .rejections import RejectionsStore
from .relations import RelationsStore
from .room import RoomStore
from .room_batch import RoomBatchStore
from .roommember import RoomMemberStore
from .search import SearchStore
from .session import SessionStore
@ -81,6 +82,7 @@ class DataStore(
EventsBackgroundUpdatesStore,
RoomMemberStore,
RoomStore,
RoomBatchStore,
RegistrationStore,
StreamStore,
ProfileStore,

View File

@ -0,0 +1,36 @@
# Copyright 2021 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from typing import Optional
from synapse.storage._base import SQLBaseStore
class RoomBatchStore(SQLBaseStore):
async def get_insertion_event_by_chunk_id(self, chunk_id: str) -> Optional[str]:
"""Retrieve a insertion event ID.
Args:
chunk_id: The chunk ID of the insertion event to retrieve.
Returns:
The event_id of an insertion event, or None if there is no known
insertion event for the given insertion event.
"""
return await self.db_pool.simple_select_one_onecol(
table="insertion_events",
keyvalues={"next_chunk_id": chunk_id},
retcol="event_id",
allow_none=True,
)