From fe6c97f49860f4357f56a442e0742706703d2577 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sun, 21 Dec 2025 15:19:57 +0200 Subject: [PATCH 1/4] Specify basic validation for federation membership endpoints Signed-off-by: Tulir Asokan --- .../newsfragments/2284.clarification | 1 + data/api/server-server/invites-v1.yaml | 17 ++++++-- data/api/server-server/invites-v2.yaml | 17 ++++++-- data/api/server-server/joins-v1.yaml | 39 ++++++++++++++++++- data/api/server-server/joins-v2.yaml | 10 +++++ data/api/server-server/knocks.yaml | 23 ++++++++++- data/api/server-server/leaving-v1.yaml | 23 ++++++++++- data/api/server-server/leaving-v2.yaml | 21 ++++++++++ 8 files changed, 142 insertions(+), 9 deletions(-) create mode 100644 changelogs/server_server/newsfragments/2284.clarification diff --git a/changelogs/server_server/newsfragments/2284.clarification b/changelogs/server_server/newsfragments/2284.clarification new file mode 100644 index 00000000..31d94bf4 --- /dev/null +++ b/changelogs/server_server/newsfragments/2284.clarification @@ -0,0 +1 @@ +Specified input validation for PDUs passed to federation membership endpoints. diff --git a/data/api/server-server/invites-v1.yaml b/data/api/server-server/invites-v1.yaml index beb44b84..31cc4eeb 100644 --- a/data/api/server-server/invites-v1.yaml +++ b/data/api/server-server/invites-v1.yaml @@ -172,6 +172,17 @@ paths: } "400": description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `invite`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not a user ID on the receiving server. + + Servers MUST apply the validation above to the invite event before + signing it regardless of room version. + The `M_MISSING_PARAM` error code is used to indicate one or more of the following: @@ -186,9 +197,9 @@ paths: Servers MAY apply the validation above to room versions 1 through 11, and SHOULD apply the validation above to all other room versions. - If `M_MISSING_PARAM` is returned and the request is associated with a - Client-Server API request, the Client-Server API request SHOULD fail - with a 5xx error rather than being passed through. + If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request + is associated with a Client-Server API request, the Client-Server API + request SHOULD fail with a 5xx error rather than being passed through. content: application/json: schema: diff --git a/data/api/server-server/invites-v2.yaml b/data/api/server-server/invites-v2.yaml index 7b71b472..9c3a474b 100644 --- a/data/api/server-server/invites-v2.yaml +++ b/data/api/server-server/invites-v2.yaml @@ -154,6 +154,17 @@ paths: The error should be passed through to clients so that they may give better feedback to users. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `invite`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not a user ID on the receiving server. + + Servers MUST apply the validation above to the invite event before + signing it regardless of room version. + The `M_MISSING_PARAM` error code is used to indicate one or more of the following: @@ -168,9 +179,9 @@ paths: Servers MAY apply the validation above to room versions 1 through 11, and SHOULD apply the validation above to all other room versions. - If `M_MISSING_PARAM` is returned and the request is associated with a - Client-Server API request, the Client-Server API request SHOULD fail - with a 5xx error rather than being passed through. + If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request + is associated with a Client-Server API request, the Client-Server API + request SHOULD fail with a 5xx error rather than being passed through. content: application/json: schema: diff --git a/data/api/server-server/joins-v1.yaml b/data/api/server-server/joins-v1.yaml index de671ef9..ae62411f 100644 --- a/data/api/server-server/joins-v1.yaml +++ b/data/api/server-server/joins-v1.yaml @@ -36,7 +36,7 @@ paths: type: string - in: path name: userId - description: The user ID the join event will be for. + description: The user ID the join event will be for. This MUST be a user ID on the origin server. required: true example: "@someone:example.org" schema: @@ -388,6 +388,43 @@ paths: } } ] + "400": + description: |- + The request is invalid in some way. + + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `join`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the join event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a join event." + } + "403": + description: |- + The room that the joining server is attempting to join does not permit the user + to join. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_FORBIDDEN", + "error": "You are not invited to this room" + } servers: - url: "{protocol}://{hostname}{basePath}" variables: diff --git a/data/api/server-server/joins-v2.yaml b/data/api/server-server/joins-v2.yaml index 91e6a83e..51687fb5 100644 --- a/data/api/server-server/joins-v2.yaml +++ b/data/api/server-server/joins-v2.yaml @@ -247,6 +247,16 @@ paths: The error should be passed through to clients so that they may give better feedback to users. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `join`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the join event. + New in `v1.2`, the following error conditions might happen: If the room is [restricted](/client-server-api/#restricted-rooms) diff --git a/data/api/server-server/knocks.yaml b/data/api/server-server/knocks.yaml index 38092085..6d0e2d78 100644 --- a/data/api/server-server/knocks.yaml +++ b/data/api/server-server/knocks.yaml @@ -36,7 +36,7 @@ paths: type: string - in: path name: userId - description: The user ID the knock event will be for. + description: The user ID the knock event will be for. This MUST be a user ID on the origin server. required: true example: "@someone:example.org" schema: @@ -330,6 +330,27 @@ paths: "$ref": "./examples/invite_or_knock_state.json" } } + "400": + description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The knock event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `knock`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the knock event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a knock event." + } "403": description: |- The knocking server or user is not permitted to knock on the room, such as when the diff --git a/data/api/server-server/leaving-v1.yaml b/data/api/server-server/leaving-v1.yaml index a630f6d7..b36ac6ac 100644 --- a/data/api/server-server/leaving-v1.yaml +++ b/data/api/server-server/leaving-v1.yaml @@ -36,7 +36,7 @@ paths: type: string - in: path name: userId - description: The user ID the leave event will be for. + description: The user ID the leave event will be for. This MUST be a user ID on the origin server. required: true example: "@someone:example.org" schema: @@ -249,6 +249,27 @@ paths: 200, {} ] + "400": + description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `leave`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the leave event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a leave event." + } servers: - url: "{protocol}://{hostname}{basePath}" variables: diff --git a/data/api/server-server/leaving-v2.yaml b/data/api/server-server/leaving-v2.yaml index 0db16cbe..019ff1b3 100644 --- a/data/api/server-server/leaving-v2.yaml +++ b/data/api/server-server/leaving-v2.yaml @@ -134,6 +134,27 @@ paths: examples: response: value: {} + "400": + description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `leave`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the leave event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a leave event." + } servers: - url: "{protocol}://{hostname}{basePath}" variables: From a7721b7b5827d449734cbb858abff73301080788 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sat, 7 Feb 2026 20:53:12 +0200 Subject: [PATCH 2/4] Move validation to endpoint description --- data/api/server-server/invites-v1.yaml | 53 ++++++++++++------------- data/api/server-server/invites-v2.yaml | 55 +++++++++++++------------- data/api/server-server/joins-v1.yaml | 19 +++++---- data/api/server-server/joins-v2.yaml | 21 +++++----- data/api/server-server/knocks.yaml | 19 ++++----- data/api/server-server/leaving-v1.yaml | 19 ++++----- data/api/server-server/leaving-v2.yaml | 19 ++++----- 7 files changed, 103 insertions(+), 102 deletions(-) diff --git a/data/api/server-server/invites-v1.yaml b/data/api/server-server/invites-v1.yaml index 31cc4eeb..5ec95d5e 100644 --- a/data/api/server-server/invites-v1.yaml +++ b/data/api/server-server/invites-v1.yaml @@ -36,6 +36,30 @@ paths: Also note that if the remote homeserver is already in the room, it will receive the invite event twice; once through this endpoint, and again through a [federation transaction](/server-server-api/#transactions). + + Servers MUST apply certain validation to ensure they don't accidentally sign non-invite + events from a malicious server. The `M_MISSING_PARAM` error code is used to indicate one + or more of the following: + + * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `invite`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not a user ID on the receiving server. + + The `M_MISSING_PARAM` error code is also used to indicate one or more of the following + problems in the `invite_room_state` field: + + * The `m.room.create` event is missing from `invite_room_state`. + * One or more entries in `invite_room_state` are not formatted according + to the room's version. + * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * One or more events does not reside in the same room as the invite. + Note: Some room versions may require calculating the room ID for an + event rather than relying on the presence of `room_id`. + + Servers MAY apply the `invite_room_state` validation to room versions 1 through 11, + and SHOULD apply the validation to all other room versions. operationId: sendInviteV1 security: - signedRequest: [] @@ -172,34 +196,7 @@ paths: } "400": description: |- - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `invite`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not a user ID on the receiving server. - - Servers MUST apply the validation above to the invite event before - signing it regardless of room version. - - The `M_MISSING_PARAM` error code is used to indicate one or more of - the following: - - * The `m.room.create` event is missing from `invite_room_state`. - * One or more entries in `invite_room_state` are not formatted according - to the room's version. - * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * One or more events does not reside in the same room as the invite. - Note: Some room versions may require calculating the room ID for an - event rather than relying on the presence of `room_id`. - - Servers MAY apply the validation above to room versions 1 through 11, - and SHOULD apply the validation above to all other room versions. - - If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request - is associated with a Client-Server API request, the Client-Server API - request SHOULD fail with a 5xx error rather than being passed through. + The request is invalid in some way. content: application/json: schema: diff --git a/data/api/server-server/invites-v2.yaml b/data/api/server-server/invites-v2.yaml index 9c3a474b..72b69e10 100644 --- a/data/api/server-server/invites-v2.yaml +++ b/data/api/server-server/invites-v2.yaml @@ -40,6 +40,30 @@ paths: Also note that if the remote homeserver is already in the room, it will receive the invite event twice; once through this endpoint, and again through a [federation transaction](/server-server-api/#transactions). + + Servers MUST apply certain validation to ensure they don't accidentally sign non-invite + events from a malicious server. The `M_MISSING_PARAM` error code is used to indicate one + or more of the following: + + * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `invite`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not a user ID on the receiving server. + + The `M_MISSING_PARAM` error code is also used to indicate one or more of the following + problems in the `invite_room_state` field: + + * The `m.room.create` event is missing from `invite_room_state`. + * One or more entries in `invite_room_state` are not formatted according + to the room's version. + * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * One or more events does not reside in the same room as the invite. + Note: Some room versions may require calculating the room ID for an + event rather than relying on the presence of `room_id`. + + Servers MAY apply the `invite_room_state` validation to room versions 1 through 11, + and SHOULD apply the validation to all other room versions. operationId: sendInviteV2 security: - signedRequest: [] @@ -154,34 +178,9 @@ paths: The error should be passed through to clients so that they may give better feedback to users. - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `invite`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not a user ID on the receiving server. - - Servers MUST apply the validation above to the invite event before - signing it regardless of room version. - - The `M_MISSING_PARAM` error code is used to indicate one or more of - the following: - - * The `m.room.create` event is missing from `invite_room_state`. - * One or more entries in `invite_room_state` are not formatted according - to the room's version. - * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * One or more events does not reside in the same room as the invite. - Note: Some room versions may require calculating the room ID for an - event rather than relying on the presence of `room_id`. - - Servers MAY apply the validation above to room versions 1 through 11, - and SHOULD apply the validation above to all other room versions. - - If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request - is associated with a Client-Server API request, the Client-Server API - request SHOULD fail with a 5xx error rather than being passed through. + If `M_MISSING_PARAM` is returned and the request is associated with a + Client-Server API request, the Client-Server API request SHOULD fail + with a 5xx error rather than being passed through. content: application/json: schema: diff --git a/data/api/server-server/joins-v1.yaml b/data/api/server-server/joins-v1.yaml index ae62411f..6cb30c7d 100644 --- a/data/api/server-server/joins-v1.yaml +++ b/data/api/server-server/joins-v1.yaml @@ -238,6 +238,15 @@ paths: **The request and response body here describe the common event fields in more detail and may be missing other required fields for a PDU.** + + The receiving server MUST apply certain validation before accepting the event. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `join`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. operationId: sendJoinV1 security: - signedRequest: [] @@ -391,16 +400,6 @@ paths: "400": description: |- The request is invalid in some way. - - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `join`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not equal to the `sender`. - - Servers MUST apply the validation above to the join event. content: application/json: schema: diff --git a/data/api/server-server/joins-v2.yaml b/data/api/server-server/joins-v2.yaml index 51687fb5..0f23ca94 100644 --- a/data/api/server-server/joins-v2.yaml +++ b/data/api/server-server/joins-v2.yaml @@ -38,6 +38,15 @@ paths: **The request and response body here describe the common event fields in more detail and may be missing other required fields for a PDU.** + + The receiving server MUST apply certain validation before accepting the event. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `join`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. operationId: sendJoinV2 security: - signedRequest: [] @@ -247,15 +256,9 @@ paths: The error should be passed through to clients so that they may give better feedback to users. - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `join`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not equal to the `sender`. - - Servers MUST apply the validation above to the join event. + If `M_MISSING_PARAM` is returned and the request is associated with a + Client-Server API request, the Client-Server API request SHOULD fail + with a 5xx error rather than being passed through. New in `v1.2`, the following error conditions might happen: diff --git a/data/api/server-server/knocks.yaml b/data/api/server-server/knocks.yaml index 6d0e2d78..13596598 100644 --- a/data/api/server-server/knocks.yaml +++ b/data/api/server-server/knocks.yaml @@ -204,6 +204,15 @@ paths: **The request and response body here describe the common event fields in more detail and may be missing other required fields for a PDU.** + + The receiving server MUST apply certain validation before accepting the event. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The knock event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `knock`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. operationId: sendKnock security: - signedRequest: [] @@ -332,15 +341,7 @@ paths: } "400": description: |- - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The knock event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `knock`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not equal to the `sender`. - - Servers MUST apply the validation above to the knock event. + The request is invalid in some way. content: application/json: schema: diff --git a/data/api/server-server/leaving-v1.yaml b/data/api/server-server/leaving-v1.yaml index b36ac6ac..beb3776c 100644 --- a/data/api/server-server/leaving-v1.yaml +++ b/data/api/server-server/leaving-v1.yaml @@ -153,6 +153,15 @@ paths: **The request and response body here describe the common event fields in more detail and may be missing other required fields for a PDU.** + + The receiving server MUST apply certain validation before accepting the event. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `leave`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. operationId: sendLeaveV1 security: - signedRequest: [] @@ -251,15 +260,7 @@ paths: ] "400": description: |- - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `leave`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not equal to the `sender`. - - Servers MUST apply the validation above to the leave event. + The request is invalid in some way. content: application/json: schema: diff --git a/data/api/server-server/leaving-v2.yaml b/data/api/server-server/leaving-v2.yaml index 019ff1b3..33dab2d4 100644 --- a/data/api/server-server/leaving-v2.yaml +++ b/data/api/server-server/leaving-v2.yaml @@ -38,6 +38,15 @@ paths: **The request and response body here describe the common event fields in more detail and may be missing other required fields for a PDU.** + + The receiving server MUST apply certain validation before accepting the event. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `leave`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. operationId: sendLeaveV2 security: - signedRequest: [] @@ -136,15 +145,7 @@ paths: value: {} "400": description: |- - The `M_INVALID_PARAM` error code is used to indicate one or more of the following: - - * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). - * The event type is not `m.room.member`. - * The `membership` field inside the event content is not `leave`. - * The event sender is not a user ID on the origin server. - * The `state_key` is not equal to the `sender`. - - Servers MUST apply the validation above to the leave event. + The request is invalid in some way. content: application/json: schema: From ec805121467c0946b9c1ca07c145778683e1a7d6 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sat, 7 Feb 2026 20:53:29 +0200 Subject: [PATCH 3/4] Specify more validation to cover GHSA-m5p2-vccg-8c9v --- content/server-server-api.md | 6 ++++-- data/api/server-server/joins-v1.yaml | 11 +++++++++++ data/api/server-server/knocks.yaml | 11 +++++++++++ data/api/server-server/leaving-v1.yaml | 11 +++++++++++ 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 1ab7e3ba..bc393ae9 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -868,8 +868,10 @@ selecting a resident from the candidate list, and using the enough information for the joining server to fill in the event. The joining server is expected to add or replace the `origin`, -`origin_server_ts`, and `event_id` on the templated event received by -the resident server. This event is then signed by the joining server. +`origin_server_ts`, and `event_id` on the templated event received by the +resident server. The joining server MUST also verify that the `type`, `room_id`, +`sender`, `state_key` and `content.membership` fields have the expected values. +This event is then signed by the joining server. To complete the join handshake, the joining server submits this new event to the resident server it used for `GET /make_join`, using the `PUT /send_join` diff --git a/data/api/server-server/joins-v1.yaml b/data/api/server-server/joins-v1.yaml index 6cb30c7d..a319011e 100644 --- a/data/api/server-server/joins-v1.yaml +++ b/data/api/server-server/joins-v1.yaml @@ -23,6 +23,17 @@ paths: description: |- Asks the receiving server to return information that the sending server will need to prepare a join event to get into the room. + + Before signing the returned template and calling `/send_join`, + the sending server MUST verify that: + + * the `room_id` is equal to the `roomId` path parameter. + * both the `sender` and `state_key` are equal to the `userId` path parameter. + * the `type` of the event is `m.room.member`. + * the `membership` field inside `content` is `join`. + + In case any of the above checks fail, the response MUST be treated as malformed and + discarded. The caller MAY try to join through another server. operationId: makeJoin security: - signedRequest: [] diff --git a/data/api/server-server/knocks.yaml b/data/api/server-server/knocks.yaml index 13596598..6bbc31a4 100644 --- a/data/api/server-server/knocks.yaml +++ b/data/api/server-server/knocks.yaml @@ -23,6 +23,17 @@ paths: description: |- Asks the receiving server to return information that the sending server will need to prepare a knock event for the room. + + Before signing the returned template and calling `/send_knock`, + the sending server MUST verify that: + + * the `room_id` is equal to the `roomId` path parameter. + * both the `sender` and `state_key` are equal to the `userId` path parameter. + * the `type` of the event is `m.room.member`. + * the `membership` field inside `content` is `knock`. + + In case any of the above checks fail, the response MUST be treated as malformed and + discarded. The caller MAY try to knock through another server. operationId: makeKnock security: - signedRequest: [] diff --git a/data/api/server-server/leaving-v1.yaml b/data/api/server-server/leaving-v1.yaml index beb3776c..bbecc6b3 100644 --- a/data/api/server-server/leaving-v1.yaml +++ b/data/api/server-server/leaving-v1.yaml @@ -23,6 +23,17 @@ paths: description: |- Asks the receiving server to return information that the sending server will need to prepare a leave event to get out of the room. + + Before signing the returned template and calling `/send_leave`, + the sending server MUST verify that: + + * the `room_id` is equal to the `roomId` path parameter. + * both the `sender` and `state_key` are equal to the `userId` path parameter. + * the `type` of the event is `m.room.member`. + * the `membership` field inside `content` is `leave`. + + In case any of the above checks fail, the response MUST be treated as malformed and + discarded. The caller MAY try to leave through another server. operationId: makeLeave security: - signedRequest: [] From aa9a203be03bb318e6dc2bbbe62e8e7c999d88f4 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sat, 7 Feb 2026 20:55:28 +0200 Subject: [PATCH 4/4] Update changelog --- changelogs/server_server/newsfragments/2284.clarification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/server_server/newsfragments/2284.clarification b/changelogs/server_server/newsfragments/2284.clarification index 31d94bf4..230c6959 100644 --- a/changelogs/server_server/newsfragments/2284.clarification +++ b/changelogs/server_server/newsfragments/2284.clarification @@ -1 +1 @@ -Specified input validation for PDUs passed to federation membership endpoints. +Specified input validation for PDUs passed to and returned from federation membership endpoints.