feat(appservice): ensure users/aliases outside of namespaces are not accessed

Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-04-16 22:39:49 -04:00 · 2024-04-16 22:39:49 -04:00 · 19e4befcb8
commit 19e4befcb8
parent b303a774d8
7 changed files with 154 additions and 61 deletions
--- a/src/api/client_server/alias.rs
+++ b/src/api/client_server/alias.rs
@ -29,6 +29,18 @@ pub async fn create_alias_route(body: Ruma<create_alias::v3::Request>) -> Result
 		return Err(Error::BadRequest(ErrorKind::Unknown, "Room alias is forbidden."));
 	}

+	if let Some(ref info) = body.appservice_info {
+		if !info.aliases.is_match(body.room_alias.as_str()) {
+			return Err(Error::BadRequest(ErrorKind::Exclusive, "Room alias is not in namespace."));
+		}
+	} else if services()
+		.appservice
+		.is_exclusive_alias(&body.room_alias)
+		.await
+	{
+		return Err(Error::BadRequest(ErrorKind::Exclusive, "Room alias reserved by appservice."));
+	}
+
 	if services()
 		.rooms
 		.alias
@ -73,6 +85,18 @@ pub async fn delete_alias_route(body: Ruma<delete_alias::v3::Request>) -> Result
 		return Err(Error::BadRequest(ErrorKind::NotFound, "Alias does not exist."));
 	}

+	if let Some(ref info) = body.appservice_info {
+		if !info.aliases.is_match(body.room_alias.as_str()) {
+			return Err(Error::BadRequest(ErrorKind::Exclusive, "Room alias is not in namespace."));
+		}
+	} else if services()
+		.appservice
+		.is_exclusive_alias(&body.room_alias)
+		.await
+	{
+		return Err(Error::BadRequest(ErrorKind::Exclusive, "Room alias reserved by appservice."));
+	}
+
 	if services()
 		.rooms
 		.alias