Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Synapse allows setting unreasonable power_levels when creating a v1-5 room #8378

Closed
ghost opened this issue Sep 22, 2020 · 7 comments · Fixed by #10232
Closed

Synapse allows setting unreasonable power_levels when creating a v1-5 room #8378

ghost opened this issue Sep 22, 2020 · 7 comments · Fixed by #10232
Labels
A-Validation 500 (mostly) errors due to lack of event/parameter validation z-p3 (Deprecated Label)

Comments

@ghost
Copy link

ghost commented Sep 22, 2020

Description

You can create a room with a power level that is viewed as "Infinity"

Steps to reproduce

  1. Create a room with
"power_level_content_override": {
		"users": {
			"@youruser:yourhomeserver": 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
		}
	}
  1. Notice various levels of breakage in many clients (FluffyChat, Element), and a power level displayed as Infinity

Instead, creating the room should fail.

Version information

  • Homeserver: blob.cat

  • Version: 1.11.0-1

  • Install method: Ubuntu package (with apt)

  • Platform: Ubuntu (on a VM)
@clokep
Copy link
Member

clokep commented Sep 22, 2020

I believe that newer versions of Synapse enforce this correctly. (You might also need to ensure you're using a new-ish room version.)

@ghost
Copy link
Author

ghost commented Sep 22, 2020

Updated to the latest version and it still works. Room version is default (5).

@richvdh
Copy link
Member

richvdh commented Sep 22, 2020

@clokep sadly I don't think even recent versions of canonicaljson correctly enforce the int bounds.

@clokep
Copy link
Member

clokep commented Sep 22, 2020

@clokep sadly I don't think even recent versions of canonicaljson correctly enforce the int bounds.

I believe that room version 6 enforces this, see:

if isinstance(value, int):
if value <= -(2 ** 53) or 2 ** 53 <= value:
raise SynapseError(400, "JSON integer out of range", Codes.BAD_JSON)

@kate-shine
Copy link
Contributor

kate-shine commented Sep 22, 2020

Room v5 is still a recommended default tho, so this doesn't really help the issue.

@richvdh
Copy link
Member

richvdh commented Sep 23, 2020

ah my bad, sorry.

We could enforce this in the C-S API, I guess, though it's hardly the biggest problem.

@richvdh richvdh added A-Validation 500 (mostly) errors due to lack of event/parameter validation z-p3 (Deprecated Label) labels Sep 23, 2020
@anoadragon453 anoadragon453 changed the title Synapse allows setting unreasonable power_levels when creating a room Synapse allows setting unreasonable power_levels when creating a v1-5 room Sep 23, 2020
@ptman
Copy link
Contributor

ptman commented Oct 6, 2020

aaronraimist added a commit to aaronraimist/synapse that referenced this issue Jun 25, 2021
Signed-off-by: Aaron Raimist <aaron@raim.ist>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A-Validation 500 (mostly) errors due to lack of event/parameter validation z-p3 (Deprecated Label)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants