Loading pkgs/by-name/ma/matrix-continuwuity/continuwuity-exploit-fix.diff 0 → 100644 +51 −0 Original line number Diff line number Diff line diff --git a/src/api/server/invite.rs b/src/api/server/invite.rs index 78a65fe8..d284fedd 100644 --- a/src/api/server/invite.rs +++ b/src/api/server/invite.rs @@ -61,6 +61,46 @@ pub(crate) async fn create_invite_route( let mut signed_event = utils::to_canonical_object(&body.event) .map_err(|_| err!(Request(InvalidParam("Invite event is invalid."))))?; + // Ensure this is a membership event + if signed_event + .get("type") + .expect("event must have a type") + .as_str() + .expect("type must be a string") + != "m.room.member" + { + return Err!(Request(BadJson( + "Not allowed to send non-membership event to invite endpoint." + ))); + } + + let content: RoomMemberEventContent = serde_json::from_value( + signed_event + .get("content") + .ok_or_else(|| err!(Request(BadJson("Event missing content property"))))? + .clone() + .into(), + ) + .map_err(|e| err!(Request(BadJson(warn!("Event content is empty or invalid: {e}")))))?; + + // Ensure this is an invite membership event + if content.membership != MembershipState::Invite { + return Err!(Request(BadJson( + "Not allowed to send a non-invite membership event to invite endpoint." + ))); + } + + // Ensure the sending user isn't a lying bozo + let sender_server = signed_event + .get("sender") + .try_into() + .map(UserId::server_name) + .map_err(|e| err!(Request(InvalidParam("Invalid sender property: {e}"))))?; + if sender_server != body.origin() { + return Err!(Request(Forbidden("Sender's server does not match the origin server.",))); + } + + // Ensure the target user belongs to this server let recipient_user: OwnedUserId = signed_event .get("state_key") .try_into() pkgs/by-name/ma/matrix-continuwuity/package.nix +5 −0 Original line number Diff line number Diff line Loading @@ -87,6 +87,11 @@ rustPlatform.buildRustPackage (finalAttrs: { hash = "sha256-UHlKAYgIkVtZJV+H2Xl7HssV03Q3XNxluMfLRY2e+Do="; }; # https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5 # https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047 # this patch is probably unneeded with the next release patches = [ ./continuwuity-exploit-fix.diff ]; cargoHash = "sha256-imfpl+72zlqeEREdTGFG3bsMdPTXe/sb1uGvMC6BGT0="; nativeBuildInputs = [ Loading Loading
pkgs/by-name/ma/matrix-continuwuity/continuwuity-exploit-fix.diff 0 → 100644 +51 −0 Original line number Diff line number Diff line diff --git a/src/api/server/invite.rs b/src/api/server/invite.rs index 78a65fe8..d284fedd 100644 --- a/src/api/server/invite.rs +++ b/src/api/server/invite.rs @@ -61,6 +61,46 @@ pub(crate) async fn create_invite_route( let mut signed_event = utils::to_canonical_object(&body.event) .map_err(|_| err!(Request(InvalidParam("Invite event is invalid."))))?; + // Ensure this is a membership event + if signed_event + .get("type") + .expect("event must have a type") + .as_str() + .expect("type must be a string") + != "m.room.member" + { + return Err!(Request(BadJson( + "Not allowed to send non-membership event to invite endpoint." + ))); + } + + let content: RoomMemberEventContent = serde_json::from_value( + signed_event + .get("content") + .ok_or_else(|| err!(Request(BadJson("Event missing content property"))))? + .clone() + .into(), + ) + .map_err(|e| err!(Request(BadJson(warn!("Event content is empty or invalid: {e}")))))?; + + // Ensure this is an invite membership event + if content.membership != MembershipState::Invite { + return Err!(Request(BadJson( + "Not allowed to send a non-invite membership event to invite endpoint." + ))); + } + + // Ensure the sending user isn't a lying bozo + let sender_server = signed_event + .get("sender") + .try_into() + .map(UserId::server_name) + .map_err(|e| err!(Request(InvalidParam("Invalid sender property: {e}"))))?; + if sender_server != body.origin() { + return Err!(Request(Forbidden("Sender's server does not match the origin server.",))); + } + + // Ensure the target user belongs to this server let recipient_user: OwnedUserId = signed_event .get("state_key") .try_into()
pkgs/by-name/ma/matrix-continuwuity/package.nix +5 −0 Original line number Diff line number Diff line Loading @@ -87,6 +87,11 @@ rustPlatform.buildRustPackage (finalAttrs: { hash = "sha256-UHlKAYgIkVtZJV+H2Xl7HssV03Q3XNxluMfLRY2e+Do="; }; # https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5 # https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047 # this patch is probably unneeded with the next release patches = [ ./continuwuity-exploit-fix.diff ]; cargoHash = "sha256-imfpl+72zlqeEREdTGFG3bsMdPTXe/sb1uGvMC6BGT0="; nativeBuildInputs = [ Loading
