diff --git a/changelogs/server_server/newsfragments/2284.clarification b/changelogs/server_server/newsfragments/2284.clarification new file mode 100644 index 00000000..31d94bf4 --- /dev/null +++ b/changelogs/server_server/newsfragments/2284.clarification @@ -0,0 +1 @@ +Specified input validation for PDUs passed to federation membership endpoints. diff --git a/data/api/server-server/invites-v1.yaml b/data/api/server-server/invites-v1.yaml index beb44b84..31cc4eeb 100644 --- a/data/api/server-server/invites-v1.yaml +++ b/data/api/server-server/invites-v1.yaml @@ -172,6 +172,17 @@ paths: } "400": description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `invite`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not a user ID on the receiving server. + + Servers MUST apply the validation above to the invite event before + signing it regardless of room version. + The `M_MISSING_PARAM` error code is used to indicate one or more of the following: @@ -186,9 +197,9 @@ paths: Servers MAY apply the validation above to room versions 1 through 11, and SHOULD apply the validation above to all other room versions. - If `M_MISSING_PARAM` is returned and the request is associated with a - Client-Server API request, the Client-Server API request SHOULD fail - with a 5xx error rather than being passed through. + If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request + is associated with a Client-Server API request, the Client-Server API + request SHOULD fail with a 5xx error rather than being passed through. content: application/json: schema: diff --git a/data/api/server-server/invites-v2.yaml b/data/api/server-server/invites-v2.yaml index 7b71b472..9c3a474b 100644 --- a/data/api/server-server/invites-v2.yaml +++ b/data/api/server-server/invites-v2.yaml @@ -154,6 +154,17 @@ paths: The error should be passed through to clients so that they may give better feedback to users. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `invite`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not a user ID on the receiving server. + + Servers MUST apply the validation above to the invite event before + signing it regardless of room version. + The `M_MISSING_PARAM` error code is used to indicate one or more of the following: @@ -168,9 +179,9 @@ paths: Servers MAY apply the validation above to room versions 1 through 11, and SHOULD apply the validation above to all other room versions. - If `M_MISSING_PARAM` is returned and the request is associated with a - Client-Server API request, the Client-Server API request SHOULD fail - with a 5xx error rather than being passed through. + If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request + is associated with a Client-Server API request, the Client-Server API + request SHOULD fail with a 5xx error rather than being passed through. content: application/json: schema: diff --git a/data/api/server-server/joins-v1.yaml b/data/api/server-server/joins-v1.yaml index de671ef9..ae62411f 100644 --- a/data/api/server-server/joins-v1.yaml +++ b/data/api/server-server/joins-v1.yaml @@ -36,7 +36,7 @@ paths: type: string - in: path name: userId - description: The user ID the join event will be for. + description: The user ID the join event will be for. This MUST be a user ID on the origin server. required: true example: "@someone:example.org" schema: @@ -388,6 +388,43 @@ paths: } } ] + "400": + description: |- + The request is invalid in some way. + + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `join`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the join event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a join event." + } + "403": + description: |- + The room that the joining server is attempting to join does not permit the user + to join. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_FORBIDDEN", + "error": "You are not invited to this room" + } servers: - url: "{protocol}://{hostname}{basePath}" variables: diff --git a/data/api/server-server/joins-v2.yaml b/data/api/server-server/joins-v2.yaml index 91e6a83e..51687fb5 100644 --- a/data/api/server-server/joins-v2.yaml +++ b/data/api/server-server/joins-v2.yaml @@ -247,6 +247,16 @@ paths: The error should be passed through to clients so that they may give better feedback to users. + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `join`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the join event. + New in `v1.2`, the following error conditions might happen: If the room is [restricted](/client-server-api/#restricted-rooms) diff --git a/data/api/server-server/knocks.yaml b/data/api/server-server/knocks.yaml index 38092085..6d0e2d78 100644 --- a/data/api/server-server/knocks.yaml +++ b/data/api/server-server/knocks.yaml @@ -36,7 +36,7 @@ paths: type: string - in: path name: userId - description: The user ID the knock event will be for. + description: The user ID the knock event will be for. This MUST be a user ID on the origin server. required: true example: "@someone:example.org" schema: @@ -330,6 +330,27 @@ paths: "$ref": "./examples/invite_or_knock_state.json" } } + "400": + description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The knock event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `knock`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the knock event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a knock event." + } "403": description: |- The knocking server or user is not permitted to knock on the room, such as when the diff --git a/data/api/server-server/leaving-v1.yaml b/data/api/server-server/leaving-v1.yaml index a630f6d7..b36ac6ac 100644 --- a/data/api/server-server/leaving-v1.yaml +++ b/data/api/server-server/leaving-v1.yaml @@ -36,7 +36,7 @@ paths: type: string - in: path name: userId - description: The user ID the leave event will be for. + description: The user ID the leave event will be for. This MUST be a user ID on the origin server. required: true example: "@someone:example.org" schema: @@ -249,6 +249,27 @@ paths: 200, {} ] + "400": + description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `leave`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the leave event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a leave event." + } servers: - url: "{protocol}://{hostname}{basePath}" variables: diff --git a/data/api/server-server/leaving-v2.yaml b/data/api/server-server/leaving-v2.yaml index 0db16cbe..019ff1b3 100644 --- a/data/api/server-server/leaving-v2.yaml +++ b/data/api/server-server/leaving-v2.yaml @@ -134,6 +134,27 @@ paths: examples: response: value: {} + "400": + description: |- + The `M_INVALID_PARAM` error code is used to indicate one or more of the following: + + * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events). + * The event type is not `m.room.member`. + * The `membership` field inside the event content is not `leave`. + * The event sender is not a user ID on the origin server. + * The `state_key` is not equal to the `sender`. + + Servers MUST apply the validation above to the leave event. + content: + application/json: + schema: + $ref: ../client-server/definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_INVALID_PARAM", + "error": "Not a leave event." + } servers: - url: "{protocol}://{hostname}{basePath}" variables: