Add domain validation when creating room with list of invitees (#6121)

2024-06-18 10:38:21 +02:00 · 2019-10-10 14:05:48 +02:00 · 2019-10-10 14:05:48 +02:00 · b5b03b7079
parent 9a84d74417
commit b5b03b7079
3 changed files with 13 additions and 1 deletions
--- a/changelog.d/4088.bugfix
+++ b/changelog.d/4088.bugfix
@ -0,0 +1 @@
+Added domain validation when including a list of invitees upon room creation.
--- a/synapse/handlers/room.py
+++ b/synapse/handlers/room.py
@ -28,6 +28,7 @@ from twisted.internet import defer
 from synapse.api.constants import EventTypes, JoinRules, RoomCreationPreset
 from synapse.api.errors import AuthError, Codes, NotFoundError, StoreError, SynapseError
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
+from synapse.http.endpoint import parse_and_validate_server_name
 from synapse.storage.state import StateFilter
 from synapse.types import RoomAlias, RoomID, RoomStreamToken, StreamToken, UserID
 from synapse.util import stringutils
@ -554,7 +555,8 @@ class RoomCreationHandler(BaseHandler):
        invite_list = config.get("invite", [])
        for i in invite_list:
            try:
-                UserID.from_string(i)
+                uid = UserID.from_string(i)
+                parse_and_validate_server_name(uid.domain)
            except Exception:
                raise SynapseError(400, "Invalid user_id: %s" % (i,))

--- a/tests/rest/client/v1/test_rooms.py
+++ b/tests/rest/client/v1/test_rooms.py
@ -484,6 +484,15 @@ class RoomsCreateTestCase(RoomBase):
        self.render(request)
        self.assertEquals(400, channel.code)

+    def test_post_room_invitees_invalid_mxid(self):
+        # POST with invalid invitee, see https://github.com/matrix-org/synapse/issues/4088
+        # Note the trailing space in the MXID here!
+        request, channel = self.make_request(
+            "POST", "/createRoom", b'{"invite":["@alice:example.com "]}'
+        )
+        self.render(request)
+        self.assertEquals(400, channel.code)
+

 class RoomTopicTestCase(RoomBase):
    """ Tests /rooms/$room_id/topic REST events. """
				`@ -0,0 +1 @@`
				`Added domain validation when including a list of invitees upon room creation.`