magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix /report endpoint a lot

Browse source 
in short, the `/report` endpoint now checks if:
- the reporting room in the URI matches the PDU/event reported
- sender user is in the room reported
- raises report reasoning to 750 characters (spec doesn't say to limit
these, but thorough and informative reports for server admins are not
a bad thing)
- (hopefully) fixes some broken formatting
- add a random short delay before sending a successful response to the
client to make it more annoying to enumerate for events on our server
(security by obscurity but spec suggests it)

basically, secure reports better lol

see https://spec.matrix.org/v1.9/client-server-api/#post_matrixclientv3roomsroomidreporteventid

Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-01-17 02:08:07 -05:00 committed by June
parent 7eb57a9fd5
commit e944ed5eb4
2 changed files with 38 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

1
DIFFERENCES.md
View file

@ -52,3 +52,4 @@
- Only follow 6 redirects total in our default reqwest ClientBuilder
- Generate passwords with 25 characters instead of 15
- Add missing `reason` field to user ban events (`/ban`)
- For all [`/report`](https://spec.matrix.org/v1.9/client-server-api/#post_matrixclientv3roomsroomidreporteventid) requests: check if the reported event ID belongs to the reported room ID, raise report reasoning character limit to 750, fix broken formatting, make a small delayed random response per spec suggestion on privacy, and check if the sender user is in the reported room.