Additional validation of receipts (#16327)

Reject invalid receipts with a reasonable error message &
expands tests for receipts.
This commit is contained in:
Patrick Cloke 2023-09-18 09:02:12 -04:00 committed by GitHub
parent 4663d55502
commit 63d28a88c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 241 additions and 165 deletions

1
changelog.d/16327.bugfix Normal file
View file

@ -0,0 +1 @@
Fix a long-standing bug where invalid receipts would be accepted.

View file

@ -37,6 +37,8 @@ class ReceiptsHandler:
self.server_name = hs.config.server.server_name
self.store = hs.get_datastores().main
self.event_auth_handler = hs.get_event_auth_handler()
self.event_handler = hs.get_event_handler()
self._storage_controllers = hs.get_storage_controllers()
self.hs = hs
@ -81,6 +83,20 @@ class ReceiptsHandler:
)
continue
# Let's check that the origin server is in the room before accepting the receipt.
# We don't want to block waiting on a partial state so take an
# approximation if needed.
domains = await self._storage_controllers.state.get_current_hosts_in_room_or_partial_state_approximation(
room_id
)
if origin not in domains:
logger.info(
"Ignoring receipt for room %r from server %s as they're not in the room",
room_id,
origin,
)
continue
for receipt_type, users in room_values.items():
for user_id, user_values in users.items():
if get_domain_from_id(user_id) != origin:
@ -158,17 +174,23 @@ class ReceiptsHandler:
self,
room_id: str,
receipt_type: str,
user_id: str,
user_id: UserID,
event_id: str,
thread_id: Optional[str],
) -> None:
"""Called when a client tells us a local user has read up to the given
event_id in the room.
"""
# Ensure the room/event exists, this will raise an error if the user
# cannot view the event.
if not await self.event_handler.get_event(user_id, room_id, event_id):
return
receipt = ReadReceipt(
room_id=room_id,
receipt_type=receipt_type,
user_id=user_id,
user_id=user_id.to_string(),
event_ids=[event_id],
thread_id=thread_id,
data={"ts": int(self.clock.time_msec())},

View file

@ -84,7 +84,7 @@ class ReadMarkerRestServlet(RestServlet):
await self.receipts_handler.received_client_receipt(
room_id,
receipt_type,
user_id=requester.user.to_string(),
user_id=requester.user,
event_id=event_id,
# Setting the thread ID is not possible with the /read_markers endpoint.
thread_id=None,

View file

@ -108,7 +108,7 @@ class ReceiptRestServlet(RestServlet):
await self.receipts_handler.received_client_receipt(
room_id,
receipt_type,
user_id=requester.user.to_string(),
user_id=requester.user,
event_id=event_id,
thread_id=thread_id,
)

View file

@ -11,11 +11,16 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from http import HTTPStatus
from typing import Optional
from twisted.test.proto_helpers import MemoryReactor
import synapse.rest.admin
from synapse.rest.client import login, receipts, register
from synapse.api.constants import EduTypes, EventTypes, HistoryVisibility, ReceiptTypes
from synapse.rest.client import login, receipts, room, sync
from synapse.server import HomeServer
from synapse.types import JsonDict
from synapse.util import Clock
from tests import unittest
@ -24,30 +29,113 @@ from tests import unittest
class ReceiptsTestCase(unittest.HomeserverTestCase):
servlets = [
login.register_servlets,
register.register_servlets,
receipts.register_servlets,
synapse.rest.admin.register_servlets,
room.register_servlets,
sync.register_servlets,
]
def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
self.owner = self.register_user("owner", "pass")
self.owner_tok = self.login("owner", "pass")
self.url = "/sync?since=%s"
self.next_batch = "s0"
# Register the first user
self.user_id = self.register_user("kermit", "monkey")
self.tok = self.login("kermit", "monkey")
# Create the room
self.room_id = self.helper.create_room_as(self.user_id, tok=self.tok)
# Register the second user
self.user2 = self.register_user("kermit2", "monkey")
self.tok2 = self.login("kermit2", "monkey")
# Join the second user
self.helper.join(room=self.room_id, user=self.user2, tok=self.tok2)
def test_send_receipt(self) -> None:
# Send a message.
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
self.assertNotEqual(self._get_read_receipt(), None)
def test_send_receipt_unknown_event(self) -> None:
"""Receipts sent for unknown events are ignored to not break message retention."""
# Attempt to send a receipt to an unknown room.
channel = self.make_request(
"POST",
"/rooms/!abc:beep/receipt/m.read/$def",
content={},
access_token=self.owner_tok,
access_token=self.tok2,
)
self.assertEqual(channel.code, 200, channel.result)
self.assertIsNone(self._get_read_receipt())
# Attempt to send a receipt to an unknown event.
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/m.read/$def",
content={},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200, channel.result)
self.assertIsNone(self._get_read_receipt())
def test_send_receipt_unviewable_event(self) -> None:
"""Receipts sent for unviewable events are errors."""
# Create a room where new users can't see events from before their join
# & send events into it.
room_id = self.helper.create_room_as(
self.user_id,
tok=self.tok,
extra_content={
"preset": "private_chat",
"initial_state": [
{
"content": {"history_visibility": HistoryVisibility.JOINED},
"state_key": "",
"type": EventTypes.RoomHistoryVisibility,
}
],
},
)
res = self.helper.send(room_id, body="hello", tok=self.tok)
# Attempt to send a receipt from the wrong user.
channel = self.make_request(
"POST",
f"/rooms/{room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
content={},
access_token=self.tok2,
)
self.assertEqual(channel.code, 403, channel.result)
# Join the user to the room, but they still can't see the event.
self.helper.invite(room_id, self.user_id, self.user2, tok=self.tok)
self.helper.join(room=room_id, user=self.user2, tok=self.tok2)
channel = self.make_request(
"POST",
f"/rooms/{room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
content={},
access_token=self.tok2,
)
self.assertEqual(channel.code, 403, channel.result)
def test_send_receipt_invalid_room_id(self) -> None:
channel = self.make_request(
"POST",
"/rooms/not-a-room-id/receipt/m.read/$def",
content={},
access_token=self.owner_tok,
access_token=self.tok,
)
self.assertEqual(channel.code, 400, channel.result)
self.assertEqual(
@ -59,7 +147,7 @@ class ReceiptsTestCase(unittest.HomeserverTestCase):
"POST",
"/rooms/!abc:beep/receipt/m.read/not-an-event-id",
content={},
access_token=self.owner_tok,
access_token=self.tok,
)
self.assertEqual(channel.code, 400, channel.result)
self.assertEqual(
@ -71,6 +159,123 @@ class ReceiptsTestCase(unittest.HomeserverTestCase):
"POST",
"/rooms/!abc:beep/receipt/invalid-receipt-type/$def",
content={},
access_token=self.owner_tok,
access_token=self.tok,
)
self.assertEqual(channel.code, 400, channel.result)
def test_private_read_receipts(self) -> None:
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a private read receipt to tell the server the first user's message was read
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ_PRIVATE}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
# Test that the first user can't see the other user's private read receipt
self.assertIsNone(self._get_read_receipt())
def test_public_receipt_can_override_private(self) -> None:
"""
Sending a public read receipt to the same event which has a private read
receipt should cause that receipt to become public.
"""
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a private read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ_PRIVATE}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
self.assertIsNone(self._get_read_receipt())
# Send a public read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
# Test that we did override the private read receipt
self.assertNotEqual(self._get_read_receipt(), None)
def test_private_receipt_cannot_override_public(self) -> None:
"""
Sending a private read receipt to the same event which has a public read
receipt should cause no change.
"""
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a public read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
self.assertNotEqual(self._get_read_receipt(), None)
# Send a private read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ_PRIVATE}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
# Test that we didn't override the public read receipt
self.assertIsNone(self._get_read_receipt())
def test_read_receipt_with_empty_body_is_rejected(self) -> None:
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a read receipt for this message with an empty body
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/m.read/{res['event_id']}",
access_token=self.tok2,
)
self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST)
self.assertEqual(channel.json_body["errcode"], "M_NOT_JSON", channel.json_body)
def _get_read_receipt(self) -> Optional[JsonDict]:
"""Syncs and returns the read receipt."""
# Checks if event is a read receipt
def is_read_receipt(event: JsonDict) -> bool:
return event["type"] == EduTypes.RECEIPT
# Sync
channel = self.make_request(
"GET",
self.url % self.next_batch,
access_token=self.tok,
)
self.assertEqual(channel.code, 200)
# Store the next batch for the next request.
self.next_batch = channel.json_body["next_batch"]
if channel.json_body.get("rooms", None) is None:
return None
# Return the read receipt
ephemeral_events = channel.json_body["rooms"]["join"][self.room_id][
"ephemeral"
]["events"]
receipt_event = filter(is_read_receipt, ephemeral_events)
return next(receipt_event, None)

View file

@ -13,8 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import json
from http import HTTPStatus
from typing import List, Optional
from typing import List
from parameterized import parameterized
@ -22,7 +21,6 @@ from twisted.test.proto_helpers import MemoryReactor
import synapse.rest.admin
from synapse.api.constants import (
EduTypes,
EventContentFields,
EventTypes,
ReceiptTypes,
@ -376,156 +374,6 @@ class SyncKnockTestCase(KnockingStrippedStateEventHelperMixin):
)
class ReadReceiptsTestCase(unittest.HomeserverTestCase):
servlets = [
synapse.rest.admin.register_servlets,
login.register_servlets,
receipts.register_servlets,
room.register_servlets,
sync.register_servlets,
]
def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:
config = self.default_config()
return self.setup_test_homeserver(config=config)
def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
self.url = "/sync?since=%s"
self.next_batch = "s0"
# Register the first user
self.user_id = self.register_user("kermit", "monkey")
self.tok = self.login("kermit", "monkey")
# Create the room
self.room_id = self.helper.create_room_as(self.user_id, tok=self.tok)
# Register the second user
self.user2 = self.register_user("kermit2", "monkey")
self.tok2 = self.login("kermit2", "monkey")
# Join the second user
self.helper.join(room=self.room_id, user=self.user2, tok=self.tok2)
def test_private_read_receipts(self) -> None:
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a private read receipt to tell the server the first user's message was read
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ_PRIVATE}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
# Test that the first user can't see the other user's private read receipt
self.assertIsNone(self._get_read_receipt())
def test_public_receipt_can_override_private(self) -> None:
"""
Sending a public read receipt to the same event which has a private read
receipt should cause that receipt to become public.
"""
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a private read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ_PRIVATE}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
self.assertIsNone(self._get_read_receipt())
# Send a public read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
# Test that we did override the private read receipt
self.assertNotEqual(self._get_read_receipt(), None)
def test_private_receipt_cannot_override_public(self) -> None:
"""
Sending a private read receipt to the same event which has a public read
receipt should cause no change.
"""
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a public read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
self.assertNotEqual(self._get_read_receipt(), None)
# Send a private read receipt
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/{ReceiptTypes.READ_PRIVATE}/{res['event_id']}",
{},
access_token=self.tok2,
)
self.assertEqual(channel.code, 200)
# Test that we didn't override the public read receipt
self.assertIsNone(self._get_read_receipt())
def test_read_receipt_with_empty_body_is_rejected(self) -> None:
# Send a message as the first user
res = self.helper.send(self.room_id, body="hello", tok=self.tok)
# Send a read receipt for this message with an empty body
channel = self.make_request(
"POST",
f"/rooms/{self.room_id}/receipt/m.read/{res['event_id']}",
access_token=self.tok2,
)
self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST)
self.assertEqual(channel.json_body["errcode"], "M_NOT_JSON", channel.json_body)
def _get_read_receipt(self) -> Optional[JsonDict]:
"""Syncs and returns the read receipt."""
# Checks if event is a read receipt
def is_read_receipt(event: JsonDict) -> bool:
return event["type"] == EduTypes.RECEIPT
# Sync
channel = self.make_request(
"GET",
self.url % self.next_batch,
access_token=self.tok,
)
self.assertEqual(channel.code, 200)
# Store the next batch for the next request.
self.next_batch = channel.json_body["next_batch"]
if channel.json_body.get("rooms", None) is None:
return None
# Return the read receipt
ephemeral_events = channel.json_body["rooms"]["join"][self.room_id][
"ephemeral"
]["events"]
receipt_event = filter(is_read_receipt, ephemeral_events)
return next(receipt_event, None)
class UnreadMessagesTestCase(unittest.HomeserverTestCase):
servlets = [
synapse.rest.admin.register_servlets,