Merge pull request from GHSA-mp92-3jfm-3575

clokep · web-flow · commit 7a3a55ac9884 · 2023-10-31T13:58:30.000Z
diff --git a/synapse/federation/federation_server.py b/synapse/federation/federation_server.py
@@ -84,7 +84,7 @@
 from synapse.storage.databases.main.lock import Lock
 from synapse.storage.databases.main.roommember import extract_heroes_from_room_summary
 from synapse.storage.roommember import MemberSummary
-from synapse.types import JsonDict, StateMap, get_domain_from_id
+from synapse.types import JsonDict, StateMap, get_domain_from_id, UserID
 from synapse.util import unwrapFirstError
 from synapse.util.async_helpers import Linearizer, concurrently_execute, gather_results
 from synapse.util.caches.response_cache import ResponseCache
@@ -999,6 +999,12 @@ async def on_query_user_devices(
     async def on_claim_client_keys(
         self, query: List[Tuple[str, str, str, int]], always_include_fallback_keys: bool
     ) -> Dict[str, Any]:
+        if any(
+            not self.hs.is_mine(UserID.from_string(user_id))
+            for user_id, _, _, _ in query
+        ):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         log_kv({"message": "Claiming one time keys.", "user, device pairs": query})
         results = await self._e2e_keys_handler.claim_local_one_time_keys(
             query, always_include_fallback_keys=always_include_fallback_keys
diff --git a/synapse/handlers/device.py b/synapse/handlers/device.py
@@ -328,6 +328,9 @@ async def get_user_ids_changed(
         return result
 
     async def on_federation_query_user_devices(self, user_id: str) -> JsonDict:
+        if not self.hs.is_mine(UserID.from_string(user_id)):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         stream_id, devices = await self.store.get_e2e_device_keys_for_federation_query(
             user_id
         )
diff --git a/synapse/handlers/e2e_keys.py b/synapse/handlers/e2e_keys.py
@@ -542,6 +542,12 @@ async def on_federation_query_client_keys(
         device_keys_query: Dict[str, Optional[List[str]]] = query_body.get(
             "device_keys", {}
         )
+        if any(
+            not self.is_mine(UserID.from_string(user_id))
+            for user_id in device_keys_query
+        ):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         res = await self.query_local_devices(
             device_keys_query,
             include_displaynames=(

Original file line number	Diff line number	Diff line change
`@@ -328,6 +328,9 @@ async def get_user_ids_changed(`
`328`	`328`	`return result`
`329`	`329`
`330`	`330`	`async def on_federation_query_user_devices(self, user_id: str) -> JsonDict:`
	`331`	`+ if not self.hs.is_mine(UserID.from_string(user_id)):`
	`332`	`+ raise SynapseError(400, "User is not hosted on this homeserver")`
	`333`	`+`
`331`	`334`	`stream_id, devices = await self.store.get_e2e_device_keys_for_federation_query(`
`332`	`335`	`user_id`
`333`	`336`	`)`