From 1544e41dec5e2a262be206aece850f78c91f2e8f Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 6 Dec 2022 14:41:29 +0000
Subject: [PATCH 1/6] Expand the block list checks

We want to check all the arguments.
---
 sydent/http/servlets/store_invite_servlet.py | 15 +++++++++++----
 tests/test_invites.py                        |  7 ++++---
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/sydent/http/servlets/store_invite_servlet.py b/sydent/http/servlets/store_invite_servlet.py
index d948fd05..d2d2e742 100644
--- a/sydent/http/servlets/store_invite_servlet.py
+++ b/sydent/http/servlets/store_invite_servlet.py
@@ -94,10 +94,6 @@ def render_POST(self, request: Request) -> JsonDict:
             sender, "Limit exceeded for this sender"
         )
 
-        for keyword in self.sydent.config.email.third_party_invite_keyword_blocklist:
-            if keyword in [medium, address, roomId, sender]:
-                raise MatrixRestError(403, "M_UNAUTHORIZED", "Invite not allowed")
-
         globalAssocStore = GlobalAssociationStore(self.sydent)
         mxid = globalAssocStore.getMxid(medium, normalised_address)
         if mxid:
@@ -140,6 +136,17 @@ def render_POST(self, request: Request) -> JsonDict:
                 substitutions[k] = v
         substitutions["token"] = token
 
+        for keyword in self.sydent.config.email.third_party_invite_keyword_blocklist:
+            for (key, value) in args.items():
+                if keyword in value:
+                    logger.info(
+                        "Denying invites as %r appears in arg %r: %r",
+                        keyword,
+                        key,
+                        value,
+                    )
+                    raise MatrixRestError(403, "M_UNAUTHORIZED", "Invite not allowed")
+
         # Substitutions that the template requires, but are optional to provide
         # to the API.
         extra_substitutions = [
diff --git a/tests/test_invites.py b/tests/test_invites.py
index 546f759f..428ee9bf 100644
--- a/tests/test_invites.py
+++ b/tests/test_invites.py
@@ -106,9 +106,10 @@ def test_invited_email_address_obfuscation(self):
     def test_third_party_invite_keyword_block_works(self):
         invite_config = {
             "medium": "email",
-            "address": "evil",
-            "room_id": "bad",
-            "sender": "@bad_dude:badness.org",
+            "address": "foo@example.com",
+            "room_id": "!bar",
+            "sender": "@foo:example.com",
+            "room_name": "This is an evil room name.",
         }
         request, channel = make_request(
             self.sydent.reactor,

From 9daac44d1fbe2d4b0b49f334ac163c67d2a34a5f Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 6 Dec 2022 14:43:26 +0000
Subject: [PATCH 2/6] Make comparison case insensitive

---
 sydent/config/email.py                       | 2 +-
 sydent/http/servlets/store_invite_servlet.py | 2 +-
 tests/test_invites.py                        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sydent/config/email.py b/sydent/config/email.py
index 1398e804..8556233d 100644
--- a/sydent/config/email.py
+++ b/sydent/config/email.py
@@ -90,7 +90,7 @@ def parse_config(self, cfg: ConfigParser) -> bool:
             if room_id  # filter out empty lines
         }
         self.third_party_invite_keyword_blocklist = {
-            keyword
+            keyword.casefold()
             for keyword in third_party_invite_keyword_blocklist.split("\n")
             if keyword
         }
diff --git a/sydent/http/servlets/store_invite_servlet.py b/sydent/http/servlets/store_invite_servlet.py
index d2d2e742..27075eb9 100644
--- a/sydent/http/servlets/store_invite_servlet.py
+++ b/sydent/http/servlets/store_invite_servlet.py
@@ -138,7 +138,7 @@ def render_POST(self, request: Request) -> JsonDict:
 
         for keyword in self.sydent.config.email.third_party_invite_keyword_blocklist:
             for (key, value) in args.items():
-                if keyword in value:
+                if keyword in value.casefold():
                     logger.info(
                         "Denying invites as %r appears in arg %r: %r",
                         keyword,
diff --git a/tests/test_invites.py b/tests/test_invites.py
index 428ee9bf..b8963cdd 100644
--- a/tests/test_invites.py
+++ b/tests/test_invites.py
@@ -109,7 +109,7 @@ def test_third_party_invite_keyword_block_works(self):
             "address": "foo@example.com",
             "room_id": "!bar",
             "sender": "@foo:example.com",
-            "room_name": "This is an evil room name.",
+            "room_name": "This is an EVIL room name.",
         }
         request, channel = make_request(
             self.sydent.reactor,

From 83f07cac496f1ea44b49a150d32ca0d989198323 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 6 Dec 2022 14:44:18 +0000
Subject: [PATCH 3/6] Newsfile

---
 changelog.d/536.misc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/536.misc

diff --git a/changelog.d/536.misc b/changelog.d/536.misc
new file mode 100644
index 00000000..ba4e04e4
--- /dev/null
+++ b/changelog.d/536.misc
@@ -0,0 +1 @@
+Add a config option to drop emails if user-supplied content contains a given keyword.
\ No newline at end of file

From 59b1b62edc00ad6678d7226f7802e1055b90eca6 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 6 Dec 2022 15:16:54 +0000
Subject: [PATCH 4/6] Poke GHA


From c4e79d2fa739ec8dbd461cce8ba9b0f3471d9762 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 6 Dec 2022 15:26:07 +0000
Subject: [PATCH 5/6] Poke GHA


From 1095212ec4a4c44f4abead6c17b95b818b222af4 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 6 Dec 2022 15:39:46 +0000
Subject: [PATCH 6/6] Poke GHA