magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add some ACL paw-gun checks, better PUT state event validation

Browse source 
Signed-off-by: June Clementine Strawberry <june@3.dog>
This commit is contained in:
June Clementine Strawberry 2025-03-07 00:57:39 -05:00
parent 2c58a6efda
commit 4f882c3bd8
No known key found for this signature in database
2 changed files with 178 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

23
src/api/client/keys.rs
View file

@ -1,7 +1,7 @@
use std::collections::{BTreeMap, HashMap, HashSet};
use axum::extract::State;
use conduwuit::{Err, Error, Result, debug, err, info, result::NotFound, utils};
use conduwuit::{Err, Error, Result, debug, debug_warn, err, info, result::NotFound, utils};
use futures::{StreamExt, stream::FuturesUnordered};
use ruma::{
OneTimeKeyAlgorithm, OwnedDeviceId, OwnedUserId, UserId,
@ -41,6 +41,20 @@ pub(crate) async fn upload_keys_route(
let (sender_user, sender_device) = body.sender();
for (key_id, one_time_key) in &body.one_time_keys {
if one_time_key
.deserialize()
.inspect_err(|e| {
debug_warn!(
?key_id,
?one_time_key,
"Invalid one time key JSON submitted by client, skipping: {e}"
)
})
.is_err()
{
continue;
}
services
.users
.add_one_time_key(sender_user, sender_device, key_id, one_time_key)
@ -48,7 +62,12 @@ pub(crate) async fn upload_keys_route(
}
if let Some(device_keys) = &body.device_keys {
let deser_device_keys = device_keys.deserialize()?;
let deser_device_keys = device_keys.deserialize().map_err(|e| {
err!(Request(BadJson(debug_warn!(
?device_keys,
"Invalid device keys JSON uploaded by client: {e}"
))))
})?;
if deser_device_keys.user_id != sender_user {
return Err!(Request(Unknown(