From ec805121467c0946b9c1ca07c145778683e1a7d6 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sat, 7 Feb 2026 20:53:29 +0200 Subject: [PATCH] Specify more validation to cover GHSA-m5p2-vccg-8c9v --- content/server-server-api.md | 6 ++++-- data/api/server-server/joins-v1.yaml | 11 +++++++++++ data/api/server-server/knocks.yaml | 11 +++++++++++ data/api/server-server/leaving-v1.yaml | 11 +++++++++++ 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 1ab7e3ba..bc393ae9 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -868,8 +868,10 @@ selecting a resident from the candidate list, and using the enough information for the joining server to fill in the event. The joining server is expected to add or replace the `origin`, -`origin_server_ts`, and `event_id` on the templated event received by -the resident server. This event is then signed by the joining server. +`origin_server_ts`, and `event_id` on the templated event received by the +resident server. The joining server MUST also verify that the `type`, `room_id`, +`sender`, `state_key` and `content.membership` fields have the expected values. +This event is then signed by the joining server. To complete the join handshake, the joining server submits this new event to the resident server it used for `GET /make_join`, using the `PUT /send_join` diff --git a/data/api/server-server/joins-v1.yaml b/data/api/server-server/joins-v1.yaml index 6cb30c7d..a319011e 100644 --- a/data/api/server-server/joins-v1.yaml +++ b/data/api/server-server/joins-v1.yaml @@ -23,6 +23,17 @@ paths: description: |- Asks the receiving server to return information that the sending server will need to prepare a join event to get into the room. + + Before signing the returned template and calling `/send_join`, + the sending server MUST verify that: + + * the `room_id` is equal to the `roomId` path parameter. + * both the `sender` and `state_key` are equal to the `userId` path parameter. + * the `type` of the event is `m.room.member`. + * the `membership` field inside `content` is `join`. + + In case any of the above checks fail, the response MUST be treated as malformed and + discarded. The caller MAY try to join through another server. operationId: makeJoin security: - signedRequest: [] diff --git a/data/api/server-server/knocks.yaml b/data/api/server-server/knocks.yaml index 13596598..6bbc31a4 100644 --- a/data/api/server-server/knocks.yaml +++ b/data/api/server-server/knocks.yaml @@ -23,6 +23,17 @@ paths: description: |- Asks the receiving server to return information that the sending server will need to prepare a knock event for the room. + + Before signing the returned template and calling `/send_knock`, + the sending server MUST verify that: + + * the `room_id` is equal to the `roomId` path parameter. + * both the `sender` and `state_key` are equal to the `userId` path parameter. + * the `type` of the event is `m.room.member`. + * the `membership` field inside `content` is `knock`. + + In case any of the above checks fail, the response MUST be treated as malformed and + discarded. The caller MAY try to knock through another server. operationId: makeKnock security: - signedRequest: [] diff --git a/data/api/server-server/leaving-v1.yaml b/data/api/server-server/leaving-v1.yaml index beb3776c..bbecc6b3 100644 --- a/data/api/server-server/leaving-v1.yaml +++ b/data/api/server-server/leaving-v1.yaml @@ -23,6 +23,17 @@ paths: description: |- Asks the receiving server to return information that the sending server will need to prepare a leave event to get out of the room. + + Before signing the returned template and calling `/send_leave`, + the sending server MUST verify that: + + * the `room_id` is equal to the `roomId` path parameter. + * both the `sender` and `state_key` are equal to the `userId` path parameter. + * the `type` of the event is `m.room.member`. + * the `membership` field inside `content` is `leave`. + + In case any of the above checks fail, the response MUST be treated as malformed and + discarded. The caller MAY try to leave through another server. operationId: makeLeave security: - signedRequest: []