check user ID server against ACLs for /send_join

Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-05-26 16:25:06 -04:00 · 2024-05-26 16:25:06 -04:00 · bfd471a863
commit bfd471a863
parent 3981e77ec6
1 changed files with 24 additions and 0 deletions
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@ -1092,6 +1092,7 @@ pub(crate) async fn create_join_event_template_route(
 	})
 }

+/// helper method for /send_join v1 and v2
 async fn create_join_event(
 	origin: &ServerName, room_id: &RoomId, pdu: &RawJsonValue,
 ) -> Result<create_join_event::v1::RoomState> {
@ -1125,6 +1126,29 @@ async fn create_join_event(
 		));
 	};

+	// ACL check sender server name
+	let sender: OwnedUserId = serde_json::from_value(
+		value
+			.get("sender")
+			.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "PDU does not have a sender user/key"))?
+			.clone()
+			.into(),
+	)
+	.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "User ID in sender is invalid"))?;
+
+	services()
+		.rooms
+		.event_handler
+		.acl_check(sender.server_name(), room_id)?;
+
+	// check if origin server is trying to send for another server
+	if sender.server_name() != origin {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Not allowed to join on behalf of another server/user",
+		));
+	}
+
 	ruma::signatures::hash_and_sign_event(
 		services().globals.server_name().as_str(),
 		services().globals.keypair(),