Prevent alias registration in AS exclusive namespace (#480)

* Prevent alias registration in AS exclusive namespace

* Fix M_Exclusive errors so they return status 400 instead of 403.

Signed-off-by: Andrew Morgan <andrewm@matrix.org>

* Directly access namespace map instead of searching for key
This commit is contained in:
Andrew Morgan 2018-06-29 04:09:00 -07:00 committed by GitHub
parent 141fd91537
commit 1cc21d6bcd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 3 deletions

View file

@ -112,7 +112,8 @@ func UserInUse(msg string) *MatrixError {
// ASExclusive is an error returned when an application service tries to
// register an username that is outside of its registered namespace, or if a
// user attempts to register a username within an exclusive namespace
// user attempts to register a username or room alias within an exclusive
// namespace.
func ASExclusive(msg string) *MatrixError {
return &MatrixError{"M_EXCLUSIVE", msg}
}

View file

@ -146,6 +146,7 @@ func createRoom(req *http.Request, device *authtypes.Device,
// TODO: visibility/presets/raw initial state/creation content
// TODO: Create room alias association
// Make sure this doesn't fall into an application service's namespace though!
logger.WithFields(log.Fields{
"userID": userID,

View file

@ -113,6 +113,21 @@ func SetLocalAlias(
}
}
// Check that the alias does not fall within an exclusive namespace of an
// application service
for _, appservice := range cfg.Derived.ApplicationServices {
if userNamespaces, ok := appservice.NamespaceMap["users"]; ok {
for _, namespace := range userNamespaces {
if namespace.Exclusive && namespace.RegexpObject.MatchString(alias) {
return util.JSONResponse{
Code: http.StatusBadRequest,
JSON: jsonerror.ASExclusive("Alias is reserved by an application service"),
}
}
}
}
}
var r struct {
RoomID string `json:"room_id"`
}

View file

@ -363,7 +363,7 @@ func validateApplicationService(
if !UsernameIsWithinApplicationServiceNamespace(cfg, username, matchedApplicationService) {
// If we didn't find any matches, return M_EXCLUSIVE
return "", &util.JSONResponse{
Code: http.StatusUnauthorized,
Code: http.StatusBadRequest,
JSON: jsonerror.ASExclusive(fmt.Sprintf(
"Supplied username %s did not match any namespaces for application service ID: %s", username, matchedApplicationService.ID)),
}
@ -372,7 +372,7 @@ func validateApplicationService(
// Check this user does not fit multiple application service namespaces
if UsernameMatchesMultipleExclusiveNamespaces(cfg, username) {
return "", &util.JSONResponse{
Code: http.StatusUnauthorized,
Code: http.StatusBadRequest,
JSON: jsonerror.ASExclusive(fmt.Sprintf(
"Supplied username %s matches multiple exclusive application service namespaces. Only 1 match allowed", username)),
}