fix(federation): reject cross-room auth events on inbound PDUs#227
Merged
Conversation
03c9b71 to
a8828b1
Compare
An inbound event's auth_events were accepted without checking they belong to the room (receipt rule 3.5), so a peer could cite a foreign-room m.room.power_levels/member as an auth event to fake authority it doesn't hold here. Now reject any resolved auth event whose room_id differs from the event's own; m.room.create is exempt (it's bound to the room by check_auth rule 2 via the room_id↔create-id relation).
a8828b1 to
7c4e84f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
An inbound event's
auth_eventswere accepted without checking they belong to the room (receipt rule 3.5), so a peer could cite a foreign-roomm.room.power_levels/member as an auth event to fake authority it doesn't hold here. Now reject any resolved auth event whoseroom_iddiffers from the event's own;m.room.createis exempt (already bound to the room bycheck_authrule 2 via the room_id↔create-id relation).Test: an event citing another room's member event as an auth event is rejected.
(Scope note: this PR originally also added the restricted-join authoriser-server signature check — auth rule 5.2.1. CI surfaced that it rejected legitimate restricted joins whose
join_authorised_via_users_servercame through in an unexpected form, so that half was reverted for separate investigation. This PR is the safe, tested cross-room-auth-events half.)