Reject events which have too many auth_events or prev_events

... this should protect us from being dossed by people making silly events (deliberately or otherwise)
2024-11-17 15:31:19 +01:00 · 2018-04-17 22:11:19 +01:00 · 2018-04-17 22:11:19 +01:00 · 9b7794262f
commit 9b7794262f
parent 512633ef44
1 changed files with 28 additions and 4 deletions
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@ -15,8 +15,14 @@
 # limitations under the License.
 """Contains handlers for federation events."""
 import httplib
 import itertools
 import logging
 from signedjson.key import decode_verify_key_bytes
 from signedjson.sign import verify_signed_json
 from twisted.internet import defer
 from unpaddedbase64 import decode_base64
 from ._base import BaseHandler
@ -43,10 +49,6 @@ from synapse.util.retryutils import NotRetryingDestination
 from synapse.util.distributor import user_joined_room
 from twisted.internet import defer
 import itertools
 import logging
 logger = logging.getLogger(__name__)
@ -115,6 +117,28 @@ class FederationHandler(BaseHandler):
            logger.debug("Already seen pdu %s", pdu.event_id)
            return
        # do some initial sanity-checking of the event. In particular, make
        # sure it doesn't have hundreds of prev_events or auth_events, which
        # could cause a huge state resolution or cascade of event fetches
        if len(pdu.prev_events) > 20:
            logger.warn("Rejecting event %s which has %i prev_events",
                        pdu.event_id, len(pdu.prev_events))
            raise FederationError(
                "ERROR",
                httplib.BAD_REQUEST,
                "Too many prev_events",
                affected=pdu.event_id,
            )
        if len(pdu.auth_events) > 10:
            logger.warn("Rejecting event %s which has %i auth_events",
                        pdu.event_id, len(pdu.auth_events))
            raise FederationError(
                "ERROR",
                httplib.BAD_REQUEST,
                "Too many auth_events",
                affected=pdu.event_id,
            )
        # If we are currently in the process of joining this room, then we
        # queue up events for later processing.
        if pdu.room_id in self.room_queues: