Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Audit or add validation to rest endpoints in synapse/rest/client/filter.py #14265

Open
Tracked by #13147
DMRobertson opened this issue Oct 21, 2022 · 1 comment
Open
Tracked by #13147

Audit or add validation to rest endpoints in synapse/rest/client/filter.py #14265

DMRobertson opened this issue Oct 21, 2022 · 1 comment
Labels
A-Validation 500 (mostly) errors due to lack of event/parameter validation T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. Z-Cleanup Things we want to get rid of, but aren't actively causing pain
Milestone
Validate data pas...

Comments

@DMRobertson
Copy link
Contributor

DMRobertson commented Oct 21, 2022
edited
Loading

Only one endpoint here: CreateFilterRestServlet's POST

(there's a GET endpoint but there's not much to validate there)

We have a JSONSchema for filter definitions. Could try using https://pydantic-docs.helpmanual.io/datamodel_code_generator/ to generate the model rather than doing it from first principles.

python -c 'from synapse.api.filtering import USER_FILTER_SCHEMA; import json; print(json.dumps(USER_FILTER_SCHEMA))' | datamodel-codegen --input-file-type jsonschema --strict-types str int bool float

# generated by datamodel-codegen:
#   filename:  <stdin>
#   timestamp: 2022-10-21T21:37:20+00:00

from __future__ import annotations

from enum import Enum
from typing import List, Optional

from pydantic import BaseModel, Extra, Field, StrictBool, StrictFloat, StrictStr, constr


class EventFormat(Enum):
    client = 'client'
    federation = 'federation'


class RoomIdArray(BaseModel):
    __root__: List[StrictStr]


class UserIdArray(BaseModel):
    __root__: List[StrictStr]


class Filter(BaseModel):
    class Config:
        extra = Extra.forbid

    limit: Optional[StrictFloat] = None
    senders: Optional[UserIdArray] = None
    not_senders: Optional[UserIdArray] = None
    types: Optional[List[StrictStr]] = None
    not_types: Optional[List[StrictStr]] = None
    org_matrix_msc3874_rel_types: Optional[List[StrictStr]] = Field(
        None, alias='org.matrix.msc3874.rel_types'
    )
    org_matrix_msc3874_not_rel_types: Optional[List[StrictStr]] = Field(
        None, alias='org.matrix.msc3874.not_rel_types'
    )


class RoomEventFilter(BaseModel):
    class Config:
        extra = Extra.forbid

    limit: Optional[StrictFloat] = None
    senders: Optional[UserIdArray] = None
    not_senders: Optional[UserIdArray] = None
    types: Optional[List[StrictStr]] = None
    not_types: Optional[List[StrictStr]] = None
    rooms: Optional[RoomIdArray] = None
    not_rooms: Optional[RoomIdArray] = None
    contains_url: Optional[StrictBool] = None
    lazy_load_members: Optional[StrictBool] = None
    include_redundant_members: Optional[StrictBool] = None
    unread_thread_notifications: Optional[StrictBool] = None
    org_matrix_msc3773_unread_thread_notifications: Optional[StrictBool] = Field(
        None, alias='org.matrix.msc3773.unread_thread_notifications'
    )
    org_matrix_labels: Optional[List[StrictStr]] = Field(
        None, alias='org.matrix.labels'
    )
    org_matrix_not_labels: Optional[List[StrictStr]] = Field(
        None, alias='org.matrix.not_labels'
    )
    related_by_senders: Optional[List[StrictStr]] = None
    related_by_rel_types: Optional[List[StrictStr]] = None


class RoomFilter(BaseModel):
    class Config:
        extra = Extra.forbid

    not_rooms: Optional[RoomIdArray] = None
    rooms: Optional[RoomIdArray] = None
    ephemeral: Optional[RoomEventFilter] = None
    include_leave: Optional[StrictBool] = None
    state: Optional[RoomEventFilter] = None
    timeline: Optional[RoomEventFilter] = None
    account_data: Optional[RoomEventFilter] = None


class Model(BaseModel):
    class Config:
        extra = Extra.forbid

    presence: Optional[Filter] = None
    account_data: Optional[Filter] = None
    room: Optional[RoomFilter] = None
    event_format: Optional[EventFormat] = None
    event_fields: Optional[List[constr(regex=r'^((?!\\\\).)*$', strict=True)]] = None
@DMRobertson DMRobertson mentioned this issue Oct 21, 2022
Open
75 tasks
@DMRobertson DMRobertson changed the title synapse/rest/client/filter.py Audit or add validation to rest endpoints in synapse/rest/client/filter.py Oct 21, 2022
@DMRobertson DMRobertson added A-Validation 500 (mostly) errors due to lack of event/parameter validation T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. labels Oct 21, 2022
@DMRobertson DMRobertson self-assigned this Oct 21, 2022
@DMRobertson
Copy link
Contributor Author

On second thoughts: might be worth leaving this one as it is: we validate filters with jsonschema before persisting them in the DB, and then parse them into a Filter class when we need to use them.

@DMRobertson DMRobertson removed their assignment Oct 24, 2022
@MadLittleMods MadLittleMods added the Z-Cleanup Things we want to get rid of, but aren't actively causing pain label Apr 25, 2023
@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Validation 500 (mostly) errors due to lack of event/parameter validation T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. Z-Cleanup Things we want to get rid of, but aren't actively causing pain
Projects
None yet
Milestone
Validate data passed to REST endpoints
Development

No branches or pull requests
2 participants
@MadLittleMods @DMRobertson