Reject single faulty event instead of the whole room state

Question

Reject single faulty event instead of the whole room state

babolivier opened this issue 7 years ago · comments

Joining Matrix HQ with Dendrite is currently impossible because of a badly constructed event. In this case, gomatrixserverlib rejects the whole state, aborts the room join and logs the following error:

gomatrixserverlib: sender domain doesn't match origin: \"matrix.orly.cf\" != \"matrix.org\"

The JSON of the corresponding event is:

{
    "auth_events": [
        [
            "$145095128663932ULGxu:matrix.org",
            {
                "sha256": "Qr4iNEm3Sb+dMQQijh0Fk52B6QLgg2Bj+DSmbSD0gwQ"
            }
        ],
        [
            "$1416420717069yeQaw:matrix.org",
            {
                "sha256": "SQbXz8UcBT39JJs/J9hqWb8INde/p4pkr9AG6gk7EtY"
            }
        ],
        [
            "$1416420717079YOCAM:matrix.org",
            {
                "sha256": "PYI0qgBD3T2iPoh4nkCNQ+bIfTXJ5BvEA5pgtgLsAEw"
            }
        ]
    ],
    "content": {
        "membership": "join"
    },
    "depth": 87361,
    "event_id": "$1451109772178767MVoAx:matrix.org",
    "hashes": {
        "sha256": "PmApxqj8VK9+Q3WXC6MFCJJddaKgkBNzEBmlqELVURg"
    },
    "origin": "matrix.org",
    "origin_server_ts": 1451109772982,
    "prev_events": [
        [
            "$1451105729744QPsBR:whatthefuck.computer",
            {
                "sha256": "0knG+e09KD25TX3/7bjsEMg4y1+CIq/dxapaQcXkc7k"
            }
        ]
    ],
    "prev_state": [],
    "room_id": "!cURbafjkfsMDVwdRDQ:matrix.org",
    "sender": "@ferdinand:matrix.orly.cf",
    "signatures": {
        "matrix.org": {
            "ed25519:auto": "l2i38JcoXt5HmvbvOZLp/r04TE5salSh+FZm9lhZOsK2UdWsjHIN4oxCoXnmYtP27yOsqEvJ2Lq9Jc5jD8tdAA"
        },
        "matrix.orly.cf": {
            "ed25519:a_DqBf": "z0OAWxhLI19/PDd249OHszKNEtirip8osTOd+Sm9h3Q/b5d+lcy2DCquuuCV8RMC1l7hV8p9ukYvjo200yLuAg"
        }
    },
    "state_key": "@ferdinand:matrix.orly.cf",
    "type": "m.room.member",
    "unsigned": {}
}

Here, gomatrixserverlib should reject this single event instead and go on with the room join.

Kegan Dougal · Answer 1 · Wed Mar 04 2020 19:04:32 GMT+0800 (China Standard Time)

Is this actually the intended behaviour? Does the spec say that we should drop and continue joining?

Richard van der Hoff · Answer 2 · Wed Mar 04 2020 19:42:08 GMT+0800 (China Standard Time)

I don't think the spec is clear on it.

This ties into the bigger question of "what should we do if we find an event whose signature we can't verify (possibly because we can't find the signing key)". IMHO failing the join would make joins rather brittle, but it's not obvious.

Relatedly, we broke this in synapse recently (matrix-org/synapse#6978), and it turned out that nobody could join a whole bunch of rooms until we fixed it.

Kegan Dougal · Answer 3 · Wed Mar 04 2020 21:36:55 GMT+0800 (China Standard Time)

I guess from an attack vector perspective it makes sense not to block the join, else malicious actors could withold their signing key for example and cause chaos.

In scenarios where the failing to get the key is transient, and the events are real and should be included.... I dunno what we should do there.

Kegan Dougal · Answer 4 · Thu Jun 10 2021 15:28:36 GMT+0800 (China Standard Time)

We reject individual faulty events now.