matrix-org · H-Shay · Jan 9, 2023 · Jan 6, 2023 · Jan 6, 2023 · Jan 6, 2023
@@ -0,0 +1 @@
+Don't block invites containing `invite_client_location` when using "http" in the keyword block list.
@@ -14,6 +14,7 @@
 
 import logging
 import random
+import re
 import string
 from email.header import Header
 from http import HTTPStatus
@@ -138,6 +139,9 @@ def render_POST(self, request: Request) -> JsonDict:
 
         for keyword in self.sydent.config.email.third_party_invite_keyword_blocklist:
             for (key, value) in args.items():
+                # make sure the blocklist doesn't stomp on invite_client_location url
+                if key == "org.matrix.web_client_location":
+                    value = re.sub(r"^(https?://)", "", value)
                 if keyword in value.casefold():
                     logger.info(
                         "Denying invites as %r appears in arg %r: %r",

@@ -1,4 +1,4 @@
-from unittest.mock import Mock
+from unittest.mock import Mock, patch
 
 from twisted.trial import unittest
 from twisted.web.client import Response
@@ -19,7 +19,7 @@ def setUp(self):
                 # Used by test_invited_email_address_obfuscation
                 "email.third_party_invite_username_obfuscate_characters": "6",
                 "email.third_party_invite_domain_obfuscate_characters": "8",
-                "email.third_party_invite_keyword_blocklist": "evil\nbad",
+                "email.third_party_invite_keyword_blocklist": "evil\nbad\nhttps://",
             },
         }
         self.sydent = make_sydent(test_config=config)
@@ -120,6 +120,32 @@ def test_third_party_invite_keyword_block_works(self):
         )
         self.assertEqual(channel.code, 403)
 
+    def test_third_party_invite_keyword_blocklist_exempts_invite_client_location_url(
+        self,
+    ):
+        invite_config = {
+            "medium": "email",
+            "address": "[email protected]",
+            "room_id": "!bar",
+            "sender": "@foo:example.com",
+            "room_name": "This is a fine room name.",
+            "org.matrix.web_client_location": "https://example.com",
+        }
+
+        # don't actually send the email
+        with patch("sydent.util.emailutils.smtplib") as smtplib:
+            request, channel = make_request(
+                self.sydent.reactor,
+                self.sydent.clientApiHttpServer.factory,
+                "POST",
+                "/_matrix/identity/api/v1/store-invite",
+                invite_config,
+            )
+        self.assertEqual(channel.code, 200)
+        smtp = smtplib.SMTP.return_value
+        # but make sure we did try to send it
+        smtp.sendmail.assert_called_once()
+
 
 class ThreepidInvitesNoDeleteTestCase(unittest.TestCase):
     """Test that invite tokens are not deleted when that is disabled."""
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Don't block invites containing `invite_client_location` when using "http" in the keyword block list.
H-Shay marked this conversation as resolved. Show resolved Hide resolved