Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit b7c580e

Browse files
clokepclokep
authored
Check if group IDs are valid before using them. (#8977)
1 parent 637282b commit b7c580e

File tree

3 files changed

+47
-4
lines changed

3 files changed

+47
-4
lines changed

changelog.d/8977.bugfix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Properly return 400 errors on invalid group IDs.

synapse/handlers/groups_local.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ def _create_rerouter(func_name):
2929

3030
async def f(self, group_id, *args, **kwargs):
3131
if not GroupID.is_valid(group_id):
32-
raise SynapseError(400, "%s was not legal group ID" % (group_id,))
32+
raise SynapseError(400, "%s is not a legal group ID" % (group_id,))
3333

3434
if self.is_mine_id(group_id):
3535
return await getattr(self.groups_server_handler, func_name)(

synapse/rest/client/v2_alpha/groups.py

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
# limitations under the License.
1616

1717
import logging
18+
from functools import wraps
1819

1920
from synapse.api.errors import SynapseError
2021
from synapse.http.servlet import RestServlet, parse_json_object_from_request
@@ -25,6 +26,22 @@
2526
logger = logging.getLogger(__name__)
2627

2728

29+
def _validate_group_id(f):
30+
"""Wrapper to validate the form of the group ID.
31+
32+
Can be applied to any on_FOO methods that accepts a group ID as a URL parameter.
33+
"""
34+
35+
@wraps(f)
36+
def wrapper(self, request, group_id, *args, **kwargs):
37+
if not GroupID.is_valid(group_id):
38+
raise SynapseError(400, "%s is not a legal group ID" % (group_id,))
39+
40+
return f(self, request, group_id, *args, **kwargs)
41+
42+
return wrapper
43+
44+
2845
class GroupServlet(RestServlet):
2946
"""Get the group profile
3047
"""
@@ -37,6 +54,7 @@ def __init__(self, hs):
3754
self.clock = hs.get_clock()
3855
self.groups_handler = hs.get_groups_local_handler()
3956

57+
@_validate_group_id
4058
async def on_GET(self, request, group_id):
4159
requester = await self.auth.get_user_by_req(request, allow_guest=True)
4260
requester_user_id = requester.user.to_string()
@@ -47,6 +65,7 @@ async def on_GET(self, request, group_id):
4765

4866
return 200, group_description
4967

68+
@_validate_group_id
5069
async def on_POST(self, request, group_id):
5170
requester = await self.auth.get_user_by_req(request)
5271
requester_user_id = requester.user.to_string()
@@ -71,6 +90,7 @@ def __init__(self, hs):
7190
self.clock = hs.get_clock()
7291
self.groups_handler = hs.get_groups_local_handler()
7392

93+
@_validate_group_id
7494
async def on_GET(self, request, group_id):
7595
requester = await self.auth.get_user_by_req(request, allow_guest=True)
7696
requester_user_id = requester.user.to_string()
@@ -102,6 +122,7 @@ def __init__(self, hs):
102122
self.clock = hs.get_clock()
103123
self.groups_handler = hs.get_groups_local_handler()
104124

125+
@_validate_group_id
105126
async def on_PUT(self, request, group_id, category_id, room_id):
106127
requester = await self.auth.get_user_by_req(request)
107128
requester_user_id = requester.user.to_string()
@@ -117,6 +138,7 @@ async def on_PUT(self, request, group_id, category_id, room_id):
117138

118139
return 200, resp
119140

141+
@_validate_group_id
120142
async def on_DELETE(self, request, group_id, category_id, room_id):
121143
requester = await self.auth.get_user_by_req(request)
122144
requester_user_id = requester.user.to_string()
@@ -142,6 +164,7 @@ def __init__(self, hs):
142164
self.clock = hs.get_clock()
143165
self.groups_handler = hs.get_groups_local_handler()
144166

167+
@_validate_group_id
145168
async def on_GET(self, request, group_id, category_id):
146169
requester = await self.auth.get_user_by_req(request, allow_guest=True)
147170
requester_user_id = requester.user.to_string()
@@ -152,6 +175,7 @@ async def on_GET(self, request, group_id, category_id):
152175

153176
return 200, category
154177

178+
@_validate_group_id
155179
async def on_PUT(self, request, group_id, category_id):
156180
requester = await self.auth.get_user_by_req(request)
157181
requester_user_id = requester.user.to_string()
@@ -163,6 +187,7 @@ async def on_PUT(self, request, group_id, category_id):
163187

164188
return 200, resp
165189

190+
@_validate_group_id
166191
async def on_DELETE(self, request, group_id, category_id):
167192
requester = await self.auth.get_user_by_req(request)
168193
requester_user_id = requester.user.to_string()
@@ -186,6 +211,7 @@ def __init__(self, hs):
186211
self.clock = hs.get_clock()
187212
self.groups_handler = hs.get_groups_local_handler()
188213

214+
@_validate_group_id
189215
async def on_GET(self, request, group_id):
190216
requester = await self.auth.get_user_by_req(request, allow_guest=True)
191217
requester_user_id = requester.user.to_string()
@@ -209,6 +235,7 @@ def __init__(self, hs):
209235
self.clock = hs.get_clock()
210236
self.groups_handler = hs.get_groups_local_handler()
211237

238+
@_validate_group_id
212239
async def on_GET(self, request, group_id, role_id):
213240
requester = await self.auth.get_user_by_req(request, allow_guest=True)
214241
requester_user_id = requester.user.to_string()
@@ -219,6 +246,7 @@ async def on_GET(self, request, group_id, role_id):
219246

220247
return 200, category
221248

249+
@_validate_group_id
222250
async def on_PUT(self, request, group_id, role_id):
223251
requester = await self.auth.get_user_by_req(request)
224252
requester_user_id = requester.user.to_string()
@@ -230,6 +258,7 @@ async def on_PUT(self, request, group_id, role_id):
230258

231259
return 200, resp
232260

261+
@_validate_group_id
233262
async def on_DELETE(self, request, group_id, role_id):
234263
requester = await self.auth.get_user_by_req(request)
235264
requester_user_id = requester.user.to_string()
@@ -253,6 +282,7 @@ def __init__(self, hs):
253282
self.clock = hs.get_clock()
254283
self.groups_handler = hs.get_groups_local_handler()
255284

285+
@_validate_group_id
256286
async def on_GET(self, request, group_id):
257287
requester = await self.auth.get_user_by_req(request, allow_guest=True)
258288
requester_user_id = requester.user.to_string()
@@ -284,6 +314,7 @@ def __init__(self, hs):
284314
self.clock = hs.get_clock()
285315
self.groups_handler = hs.get_groups_local_handler()
286316

317+
@_validate_group_id
287318
async def on_PUT(self, request, group_id, role_id, user_id):
288319
requester = await self.auth.get_user_by_req(request)
289320
requester_user_id = requester.user.to_string()
@@ -299,6 +330,7 @@ async def on_PUT(self, request, group_id, role_id, user_id):
299330

300331
return 200, resp
301332

333+
@_validate_group_id
302334
async def on_DELETE(self, request, group_id, role_id, user_id):
303335
requester = await self.auth.get_user_by_req(request)
304336
requester_user_id = requester.user.to_string()
@@ -322,13 +354,11 @@ def __init__(self, hs):
322354
self.clock = hs.get_clock()
323355
self.groups_handler = hs.get_groups_local_handler()
324356

357+
@_validate_group_id
325358
async def on_GET(self, request, group_id):
326359
requester = await self.auth.get_user_by_req(request, allow_guest=True)
327360
requester_user_id = requester.user.to_string()
328361

329-
if not GroupID.is_valid(group_id):
330-
raise SynapseError(400, "%s was not legal group ID" % (group_id,))
331-
332362
result = await self.groups_handler.get_rooms_in_group(
333363
group_id, requester_user_id
334364
)
@@ -348,6 +378,7 @@ def __init__(self, hs):
348378
self.clock = hs.get_clock()
349379
self.groups_handler = hs.get_groups_local_handler()
350380

381+
@_validate_group_id
351382
async def on_GET(self, request, group_id):
352383
requester = await self.auth.get_user_by_req(request, allow_guest=True)
353384
requester_user_id = requester.user.to_string()
@@ -371,6 +402,7 @@ def __init__(self, hs):
371402
self.clock = hs.get_clock()
372403
self.groups_handler = hs.get_groups_local_handler()
373404

405+
@_validate_group_id
374406
async def on_GET(self, request, group_id):
375407
requester = await self.auth.get_user_by_req(request)
376408
requester_user_id = requester.user.to_string()
@@ -393,6 +425,7 @@ def __init__(self, hs):
393425
self.auth = hs.get_auth()
394426
self.groups_handler = hs.get_groups_local_handler()
395427

428+
@_validate_group_id
396429
async def on_PUT(self, request, group_id):
397430
requester = await self.auth.get_user_by_req(request)
398431
requester_user_id = requester.user.to_string()
@@ -449,6 +482,7 @@ def __init__(self, hs):
449482
self.clock = hs.get_clock()
450483
self.groups_handler = hs.get_groups_local_handler()
451484

485+
@_validate_group_id
452486
async def on_PUT(self, request, group_id, room_id):
453487
requester = await self.auth.get_user_by_req(request)
454488
requester_user_id = requester.user.to_string()
@@ -460,6 +494,7 @@ async def on_PUT(self, request, group_id, room_id):
460494

461495
return 200, result
462496

497+
@_validate_group_id
463498
async def on_DELETE(self, request, group_id, room_id):
464499
requester = await self.auth.get_user_by_req(request)
465500
requester_user_id = requester.user.to_string()
@@ -486,6 +521,7 @@ def __init__(self, hs):
486521
self.clock = hs.get_clock()
487522
self.groups_handler = hs.get_groups_local_handler()
488523

524+
@_validate_group_id
489525
async def on_PUT(self, request, group_id, room_id, config_key):
490526
requester = await self.auth.get_user_by_req(request)
491527
requester_user_id = requester.user.to_string()
@@ -514,6 +550,7 @@ def __init__(self, hs):
514550
self.store = hs.get_datastore()
515551
self.is_mine_id = hs.is_mine_id
516552

553+
@_validate_group_id
517554
async def on_PUT(self, request, group_id, user_id):
518555
requester = await self.auth.get_user_by_req(request)
519556
requester_user_id = requester.user.to_string()
@@ -541,6 +578,7 @@ def __init__(self, hs):
541578
self.clock = hs.get_clock()
542579
self.groups_handler = hs.get_groups_local_handler()
543580

581+
@_validate_group_id
544582
async def on_PUT(self, request, group_id, user_id):
545583
requester = await self.auth.get_user_by_req(request)
546584
requester_user_id = requester.user.to_string()
@@ -565,6 +603,7 @@ def __init__(self, hs):
565603
self.clock = hs.get_clock()
566604
self.groups_handler = hs.get_groups_local_handler()
567605

606+
@_validate_group_id
568607
async def on_PUT(self, request, group_id):
569608
requester = await self.auth.get_user_by_req(request)
570609
requester_user_id = requester.user.to_string()
@@ -589,6 +628,7 @@ def __init__(self, hs):
589628
self.clock = hs.get_clock()
590629
self.groups_handler = hs.get_groups_local_handler()
591630

631+
@_validate_group_id
592632
async def on_PUT(self, request, group_id):
593633
requester = await self.auth.get_user_by_req(request)
594634
requester_user_id = requester.user.to_string()
@@ -613,6 +653,7 @@ def __init__(self, hs):
613653
self.clock = hs.get_clock()
614654
self.groups_handler = hs.get_groups_local_handler()
615655

656+
@_validate_group_id
616657
async def on_PUT(self, request, group_id):
617658
requester = await self.auth.get_user_by_req(request)
618659
requester_user_id = requester.user.to_string()
@@ -637,6 +678,7 @@ def __init__(self, hs):
637678
self.clock = hs.get_clock()
638679
self.store = hs.get_datastore()
639680

681+
@_validate_group_id
640682
async def on_PUT(self, request, group_id):
641683
requester = await self.auth.get_user_by_req(request)
642684
requester_user_id = requester.user.to_string()

0 commit comments

Comments
 (0)