Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expand the block list checks #536

Merged
merged 6 commits into from
Dec 7, 2022
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Expand the block list checks
We want to check all the arguments.
erikjohnston committed Dec 6, 2022
commit 1544e41dec5e2a262be206aece850f78c91f2e8f
15 changes: 11 additions & 4 deletions sydent/http/servlets/store_invite_servlet.py
Original file line number Diff line number Diff line change
@@ -94,10 +94,6 @@ def render_POST(self, request: Request) -> JsonDict:
sender, "Limit exceeded for this sender"
)

for keyword in self.sydent.config.email.third_party_invite_keyword_blocklist:
if keyword in [medium, address, roomId, sender]:
raise MatrixRestError(403, "M_UNAUTHORIZED", "Invite not allowed")

globalAssocStore = GlobalAssociationStore(self.sydent)
mxid = globalAssocStore.getMxid(medium, normalised_address)
if mxid:
@@ -140,6 +136,17 @@ def render_POST(self, request: Request) -> JsonDict:
substitutions[k] = v
substitutions["token"] = token

for keyword in self.sydent.config.email.third_party_invite_keyword_blocklist:
for (key, value) in args.items():
if keyword in value:
logger.info(
"Denying invites as %r appears in arg %r: %r",
keyword,
key,
value,
)
raise MatrixRestError(403, "M_UNAUTHORIZED", "Invite not allowed")

# Substitutions that the template requires, but are optional to provide
# to the API.
extra_substitutions = [
7 changes: 4 additions & 3 deletions tests/test_invites.py
Original file line number Diff line number Diff line change
@@ -106,9 +106,10 @@ def test_invited_email_address_obfuscation(self):
def test_third_party_invite_keyword_block_works(self):
invite_config = {
"medium": "email",
"address": "evil",
"room_id": "bad",
"sender": "@bad_dude:badness.org",
"address": "[email protected]",
"room_id": "!bar",
"sender": "@foo:example.com",
"room_name": "This is an evil room name.",
}
request, channel = make_request(
self.sydent.reactor,