Improve validation for annotations.

clokep · clokep · commit 575b296b882c · 2021-12-06T13:12:23.000-05:00
diff --git a/synapse/events/utils.py b/synapse/events/utils.py
@@ -459,7 +459,9 @@ async def _injected_bundled_aggregations(
         # The bundled aggregations to include.
         aggregations = {}
 
-        annotations = await self.store.get_aggregation_groups_for_event(event_id)
+        annotations = await self.store.get_aggregation_groups_for_event(
+            event_id, room_id
+        )
         if annotations.chunk:
             aggregations[RelationTypes.ANNOTATION] = annotations.to_dict()
 
diff --git a/synapse/rest/client/relations.py b/synapse/rest/client/relations.py
@@ -318,6 +318,7 @@ async def on_GET(
 
             pagination_chunk = await self.store.get_aggregation_groups_for_event(
                 event_id=parent_id,
+                room_id=room_id,
                 event_type=event_type,
                 limit=limit,
                 from_token=from_token,
diff --git a/synapse/storage/databases/main/relations.py b/synapse/storage/databases/main/relations.py
@@ -201,6 +201,7 @@ async def event_is_target_of_relation(self, parent_id: str) -> bool:
     async def get_aggregation_groups_for_event(
         self,
         event_id: str,
+        room_id: str,
         event_type: Optional[str] = None,
         limit: int = 5,
         direction: str = "b",
@@ -215,6 +216,7 @@ async def get_aggregation_groups_for_event(
 
         Args:
             event_id: Fetch events that relate to this event ID.
+            room_id: The room the event belongs to.
             event_type: Only fetch events with this event type, if given.
             limit: Only fetch the `limit` groups.
             direction: Whether to fetch the highest count first (`"b"`) or
@@ -227,8 +229,12 @@ async def get_aggregation_groups_for_event(
             `type`, `key` and `count` fields.
         """
 
-        where_clause = ["relates_to_id = ?", "relation_type = ?"]
-        where_args: List[Union[str, int]] = [event_id, RelationTypes.ANNOTATION]
+        where_clause = ["relates_to_id = ?", "room_id = ?", "relation_type = ?"]
+        where_args: List[Union[str, int]] = [
+            event_id,
+            room_id,
+            RelationTypes.ANNOTATION,
+        ]
 
         if event_type:
             where_clause.append("type = ?")
diff --git a/tests/rest/client/test_relations.py b/tests/rest/client/test_relations.py
@@ -664,6 +664,7 @@ def test_ignore_invalid_room(self):
         with patch(
             "synapse.handlers.message.EventCreationHandler._validate_event_relation"
         ):
+            # Generate a reaction and reference relations from a different room.
             self.get_success(
                 inject_event(
                     self.hs,
@@ -680,6 +681,23 @@ def test_ignore_invalid_room(self):
                 )
             )
 
+            self.get_success(
+                inject_event(
+                    self.hs,
+                    room_id=self.room,
+                    type="m.room.message",
+                    sender=self.user_id,
+                    content={
+                        "body": "foo",
+                        "msgtype": "m.text",
+                        "m.relates_to": {
+                            "rel_type": RelationTypes.REFERENCE,
+                            "event_id": parent_id,
+                        },
+                    },
+                )
+            )
+
         # They should be ignored when fetching relations.
         channel = self.make_request(
             "GET",
