From 1cc21d6bcdfbf438c2bd2f26447cb18861e962f5 Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Fri, 29 Jun 2018 04:09:00 -0700 Subject: [PATCH] Prevent alias registration in AS exclusive namespace (#480) * Prevent alias registration in AS exclusive namespace * Fix M_Exclusive errors so they return status 400 instead of 403. Signed-off-by: Andrew Morgan * Directly access namespace map instead of searching for key --- .../dendrite/clientapi/jsonerror/jsonerror.go | 3 ++- .../dendrite/clientapi/routing/createroom.go | 1 + .../dendrite/clientapi/routing/directory.go | 15 +++++++++++++++ .../dendrite/clientapi/routing/register.go | 4 ++-- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go b/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go index e0313def..87b0b8ac 100644 --- a/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go +++ b/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go @@ -112,7 +112,8 @@ func UserInUse(msg string) *MatrixError { // ASExclusive is an error returned when an application service tries to // register an username that is outside of its registered namespace, or if a -// user attempts to register a username within an exclusive namespace +// user attempts to register a username or room alias within an exclusive +// namespace. func ASExclusive(msg string) *MatrixError { return &MatrixError{"M_EXCLUSIVE", msg} } diff --git a/src/github.com/matrix-org/dendrite/clientapi/routing/createroom.go b/src/github.com/matrix-org/dendrite/clientapi/routing/createroom.go index edb1858d..e5e52016 100644 --- a/src/github.com/matrix-org/dendrite/clientapi/routing/createroom.go +++ b/src/github.com/matrix-org/dendrite/clientapi/routing/createroom.go @@ -146,6 +146,7 @@ func createRoom(req *http.Request, device *authtypes.Device, // TODO: visibility/presets/raw initial state/creation content // TODO: Create room alias association + // Make sure this doesn't fall into an application service's namespace though! logger.WithFields(log.Fields{ "userID": userID, diff --git a/src/github.com/matrix-org/dendrite/clientapi/routing/directory.go b/src/github.com/matrix-org/dendrite/clientapi/routing/directory.go index dc720fe0..e7f4ef2a 100644 --- a/src/github.com/matrix-org/dendrite/clientapi/routing/directory.go +++ b/src/github.com/matrix-org/dendrite/clientapi/routing/directory.go @@ -113,6 +113,21 @@ func SetLocalAlias( } } + // Check that the alias does not fall within an exclusive namespace of an + // application service + for _, appservice := range cfg.Derived.ApplicationServices { + if userNamespaces, ok := appservice.NamespaceMap["users"]; ok { + for _, namespace := range userNamespaces { + if namespace.Exclusive && namespace.RegexpObject.MatchString(alias) { + return util.JSONResponse{ + Code: http.StatusBadRequest, + JSON: jsonerror.ASExclusive("Alias is reserved by an application service"), + } + } + } + } + } + var r struct { RoomID string `json:"room_id"` } diff --git a/src/github.com/matrix-org/dendrite/clientapi/routing/register.go b/src/github.com/matrix-org/dendrite/clientapi/routing/register.go index cb427b71..63cb013d 100644 --- a/src/github.com/matrix-org/dendrite/clientapi/routing/register.go +++ b/src/github.com/matrix-org/dendrite/clientapi/routing/register.go @@ -363,7 +363,7 @@ func validateApplicationService( if !UsernameIsWithinApplicationServiceNamespace(cfg, username, matchedApplicationService) { // If we didn't find any matches, return M_EXCLUSIVE return "", &util.JSONResponse{ - Code: http.StatusUnauthorized, + Code: http.StatusBadRequest, JSON: jsonerror.ASExclusive(fmt.Sprintf( "Supplied username %s did not match any namespaces for application service ID: %s", username, matchedApplicationService.ID)), } @@ -372,7 +372,7 @@ func validateApplicationService( // Check this user does not fit multiple application service namespaces if UsernameMatchesMultipleExclusiveNamespaces(cfg, username) { return "", &util.JSONResponse{ - Code: http.StatusUnauthorized, + Code: http.StatusBadRequest, JSON: jsonerror.ASExclusive(fmt.Sprintf( "Supplied username %s matches multiple exclusive application service namespaces. Only 1 match allowed", username)), }