filter out m.room.aliases from the CS API until a better solution is specced (#6878)

We're in the middle of properly mitigating spam caused by malicious aliases being added to a room. However, until this work fully lands, we temporarily filter out all m.room.aliases events from /sync and /messages on the CS API, to remove abusive aliases. This is considered acceptable as m.room.aliases events were never a reliable record of the given alias->id mapping and were purely informational, and in their current state do more harm than good.
This commit is contained in:
Matthew Hodgson 2020-02-10 09:36:23 +00:00 committed by GitHub
parent fe73f0d533
commit 8e64c5a24c
2 changed files with 8 additions and 0 deletions

1
changelog.d/6878.feature Normal file
View file

@ -0,0 +1 @@
Filter out m.room.aliases from the CS API to mitigate abuse while a better solution is specced.

View file

@ -122,6 +122,13 @@ def filter_events_for_client(
if not event.is_state() and event.sender in ignore_list: if not event.is_state() and event.sender in ignore_list:
return None return None
# Until MSC2261 has landed we can't redact malicious alias events, so for
# now we temporarily filter out m.room.aliases entirely to mitigate
# abuse, while we spec a better solution to advertising aliases
# on rooms.
if event.type == EventTypes.Aliases:
return None
# Don't try to apply the room's retention policy if the event is a state event, as # Don't try to apply the room's retention policy if the event is a state event, as
# MSC1763 states that retention is only considered for non-state events. # MSC1763 states that retention is only considered for non-state events.
if apply_retention_policies and not event.is_state(): if apply_retention_policies and not event.is_state():