From e5e358cc6806612eb2599b83ce59d6898dbabe70 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Sun, 26 May 2024 17:19:24 -0400
Subject: [PATCH] compare X-Matrix origin + body origin and check PDU/EDU
 length at /send txn

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/server_server.rs | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 73b51c8c..b2b842b1 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -209,6 +209,27 @@ pub(crate) async fn send_transaction_message_route(
 ) -> Result<send_transaction_message::v1::Response> {
 	let origin = body.origin.as_ref().expect("server is authenticated");
 
+	if *origin != body.body.origin {
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Not allowed to send transactions on behalf of other servers",
+		));
+	}
+
+	if body.pdus.len() > 50_usize {
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Not allowed to send more than 50 PDUs in one transaction",
+		));
+	}
+
+	if body.edus.len() > 100_usize {
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Not allowed to send more than 100 EDUs in one transaction",
+		));
+	}
+
 	// This is all the auth_events that have been recursively fetched so they don't
 	// have to be deserialized over and over again.
 	// TODO: make this persist across requests but not in a DB Tree (in globals?)