Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't accept threaded receipts for reactions to/replies to/edits of a thread root #5

Open
andybalaam opened this issue Dec 14, 2023 · 0 comments

Comments

@andybalaam
Copy link
Member

Description

Previously, the spec implied that threaded receipts were acceptable when referring to thread roots, or reactions to them etc. but this was a spec bug, which is fixed in matrix-org/matrix-spec#1677 . See matrix-org/matrix-spec-proposals#4037 for more detail.

Synapse's code at

async def _is_event_in_thread(self, event_id: str, thread_id: str) -> bool:
"""
The event must be related to the thread ID (in a vague sense) to ensure
clients aren't sending bogus receipts.
A thread ID is considered valid for a given event E if:
1. E has a thread relation which matches the thread ID;
2. E has another event which has a thread relation to E matching the
thread ID; or
3. E is recursively related (via any rel_type) to an event which
satisfies 1 or 2.
Given the following DAG:
A <---[m.thread]-- B <--[m.annotation]-- C
^
|--[m.reference]-- D <--[m.annotation]-- E
It is valid to send a receipt for thread A on A, B, C, D, or E.
It is valid to send a receipt for the main timeline on A, D, and E.
Args:
event_id: The event ID to check.
thread_id: The thread ID the event is potentially part of.
Returns:
True if the event belongs to the given thread, otherwise False.
"""
# If the receipt is on the main timeline, it is enough to check whether
# the event is directly related to a thread.
if thread_id == MAIN_TIMELINE:
return MAIN_TIMELINE == await self._main_store.get_thread_id(event_id)
# Otherwise, check if the event is directly part of a thread, or is the
# root message (or related to the root message) of a thread.
return thread_id == await self._main_store.get_thread_id_for_receipts(event_id)
reflects the spec bug, accepting incorrect receipts. It should not accept threaded receipts for events that are not in the thread.

Steps to reproduce

  • Create some messages in a room, including a thread
  • Create a reaction to the thread root
  • Send a threaded receipt for the reaction, that gives the thread_id as the ID of the thread root event, implying that the reaction is in the thread
  • Note that Synapse accepts this receipt

Synapse should reject this receipt since a reaction to a thread root is not in the thread.

Homeserver

matrix.org

Synapse Version

1.98.0rc1 (b=matrix-org-hotfixes,c2deef254a)

Installation Method

I don't know

Database

Workers

Multiple workers

Platform

Configuration

Relevant log output

-

Anything else that would be useful to know?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant