Skip to content

fix(federation): reject cross-room auth events on inbound PDUs#227

Merged
sufforest merged 1 commit into
mainfrom
wzy/inbound-auth-events-hardening
Jun 30, 2026
Merged

fix(federation): reject cross-room auth events on inbound PDUs#227
sufforest merged 1 commit into
mainfrom
wzy/inbound-auth-events-hardening

Conversation

@sufforest

@sufforest sufforest commented Jun 30, 2026

Copy link
Copy Markdown
Owner

An inbound event's auth_events were accepted without checking they belong to the room (receipt rule 3.5), so a peer could cite a foreign-room m.room.power_levels/member as an auth event to fake authority it doesn't hold here. Now reject any resolved auth event whose room_id differs from the event's own; m.room.create is exempt (already bound to the room by check_auth rule 2 via the room_id↔create-id relation).

Test: an event citing another room's member event as an auth event is rejected.

(Scope note: this PR originally also added the restricted-join authoriser-server signature check — auth rule 5.2.1. CI surfaced that it rejected legitimate restricted joins whose join_authorised_via_users_server came through in an unexpected form, so that half was reverted for separate investigation. This PR is the safe, tested cross-room-auth-events half.)

@sufforest sufforest force-pushed the wzy/inbound-auth-events-hardening branch from 03c9b71 to a8828b1 Compare June 30, 2026 07:48
An inbound event's auth_events were accepted without checking they belong to
the room (receipt rule 3.5), so a peer could cite a foreign-room
m.room.power_levels/member as an auth event to fake authority it doesn't hold
here. Now reject any resolved auth event whose room_id differs from the event's
own; m.room.create is exempt (it's bound to the room by check_auth rule 2 via
the room_id↔create-id relation).
@sufforest sufforest changed the title fix(federation): verify restricted-join authoriser sig + reject cross-room auth events fix(federation): reject cross-room auth events on inbound PDUs Jun 30, 2026
@sufforest sufforest force-pushed the wzy/inbound-auth-events-hardening branch from a8828b1 to 7c4e84f Compare June 30, 2026 08:51
@sufforest sufforest merged commit cadab5e into main Jun 30, 2026
11 checks passed
@sufforest sufforest deleted the wzy/inbound-auth-events-hardening branch June 30, 2026 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant