Filter out non local events when a room doesn't have its full state

Mathieu Velten · Mathieu Velten · commit 491c1f728fc7 · 2022-11-10T11:47:55.000+01:00
diff --git a/synapse/federation/sender/per_destination_queue.py b/synapse/federation/sender/per_destination_queue.py
@@ -505,6 +505,7 @@ async def _catch_up_transmission_loop(self) -> None:
                     new_pdus = await filter_events_for_server(
                         self._storage_controllers,
                         self._destination,
+                        self._server_name,
                         new_pdus,
                         redact=False,
                     )
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
@@ -379,6 +379,7 @@ async def _maybe_backfill_inner(
             filtered_extremities = await filter_events_for_server(
                 self._storage_controllers,
                 self.server_name,
+                self.server_name,
                 events_to_check,
                 redact=False,
                 check_history_visibility_only=True,
@@ -1252,7 +1253,7 @@ async def on_backfill_request(
         )
 
         events = await filter_events_for_server(
-            self._storage_controllers, origin, events
+            self._storage_controllers, origin, self.server_name, events
         )
 
         return events
@@ -1283,7 +1284,7 @@ async def get_persisted_pdu(
         await self._event_auth_handler.assert_host_in_room(event.room_id, origin)
 
         events = await filter_events_for_server(
-            self._storage_controllers, origin, [event]
+            self._storage_controllers, origin, self.server_name, [event]
         )
         event = events[0]
         return event
@@ -1309,7 +1310,7 @@ async def on_get_missing_events(
         )
 
         missing_events = await filter_events_for_server(
-            self._storage_controllers, origin, missing_events
+            self._storage_controllers, origin, self.server_name, missing_events
         )
 
         return missing_events
diff --git a/synapse/visibility.py b/synapse/visibility.py
@@ -563,7 +563,8 @@ def get_effective_room_visibility_from_state(state: StateMap[EventBase]) -> str:
 
 async def filter_events_for_server(
     storage: StorageControllers,
-    server_name: str,
+    target_server_name: str,
+    local_server_name: str,
     events: List[EventBase],
     redact: bool = True,
     check_history_visibility_only: bool = False,
@@ -603,7 +604,7 @@ def check_event_is_visible(
         # if the server is either in the room or has been invited
         # into the room.
         for ev in memberships.values():
-            assert get_domain_from_id(ev.state_key) == server_name
+            assert get_domain_from_id(ev.state_key) == target_server_name
 
             memtype = ev.membership
             if memtype == Membership.JOIN:
@@ -636,7 +637,7 @@ def check_event_is_visible(
             if event_to_history_vis[e.event_id]
             not in (HistoryVisibility.SHARED, HistoryVisibility.WORLD_READABLE)
         ],
-        server_name,
+        target_server_name,
     )
 
     to_return = []
@@ -645,6 +646,15 @@ def check_event_is_visible(
         visible = check_event_is_visible(
             event_to_history_vis[e.event_id], event_to_memberships.get(e.event_id, {})
         )
+
+        # Filter out non-local events when we are in the middle of a partial join,
+        # since our servers list can be out of date and we could leak events
+        # to servers not in the room anymore.
+        # This can also be true for local events but we consider it to be
+        # an acceptable risk in this case.
+        if e.origin != local_server_name and await storage.main.is_partial_state_room(e.room_id):
+            visible = False
+
         if visible and not erased:
             to_return.append(e)
         elif redact:
diff --git a/tests/test_visibility.py b/tests/test_visibility.py
@@ -61,7 +61,7 @@ def test_filtering(self) -> None:
 
         filtered = self.get_success(
             filter_events_for_server(
-                self._storage_controllers, "test_server", events_to_filter
+                self._storage_controllers, "test_server", "hs", events_to_filter
             )
         )
 
@@ -83,7 +83,7 @@ def test_filter_outlier(self) -> None:
         self.assertEqual(
             self.get_success(
                 filter_events_for_server(
-                    self._storage_controllers, "remote_hs", [outlier]
+                    self._storage_controllers, "remote_hs", "hs", [outlier]
                 )
             ),
             [outlier],
@@ -94,7 +94,7 @@ def test_filter_outlier(self) -> None:
 
         filtered = self.get_success(
             filter_events_for_server(
-                self._storage_controllers, "remote_hs", [outlier, evt]
+                self._storage_controllers, "remote_hs", "local_hs", [outlier, evt]
             )
         )
         self.assertEqual(len(filtered), 2, f"expected 2 results, got: {filtered}")
@@ -106,7 +106,7 @@ def test_filter_outlier(self) -> None:
         # be redacted)
         filtered = self.get_success(
             filter_events_for_server(
-                self._storage_controllers, "other_server", [outlier, evt]
+                self._storage_controllers, "other_server", "local_hs", [outlier, evt]
             )
         )
         self.assertEqual(filtered[0], outlier)
@@ -141,7 +141,7 @@ def test_erased_user(self) -> None:
         # ... and the filtering happens.
         filtered = self.get_success(
             filter_events_for_server(
-                self._storage_controllers, "test_server", events_to_filter
+                self._storage_controllers, "test_server", "local_hs", events_to_filter
             )
         )
 

Original file line number	Diff line number	Diff line change
`@@ -505,6 +505,7 @@ async def _catch_up_transmission_loop(self) -> None:`
`505`	`505`	`new_pdus = await filter_events_for_server(`
`506`	`506`	`self._storage_controllers,`
`507`	`507`	`self._destination,`
	`508`	`+ self._server_name,`
`508`	`509`	`new_pdus,`
`509`	`510`	`redact=False,`
`510`	`511`	`)`
Original file line number	Diff line number	Diff line change
`@@ -379,6 +379,7 @@ async def _maybe_backfill_inner(`
`379`	`379`	`filtered_extremities = await filter_events_for_server(`
`380`	`380`	`self._storage_controllers,`
`381`	`381`	`self.server_name,`
	`382`	`+ self.server_name,`
`382`	`383`	`events_to_check,`
`383`	`384`	`redact=False,`
`384`	`385`	`check_history_visibility_only=True,`
`@@ -1252,7 +1253,7 @@ async def on_backfill_request(`
`1252`	`1253`	`)`
`1253`	`1254`
`1254`	`1255`	`events = await filter_events_for_server(`
`1255`		`- self._storage_controllers, origin, events`
	`1256`	`+ self._storage_controllers, origin, self.server_name, events`
`1256`	`1257`	`)`
`1257`	`1258`
`1258`	`1259`	`return events`
`@@ -1283,7 +1284,7 @@ async def get_persisted_pdu(`
`1283`	`1284`	`await self._event_auth_handler.assert_host_in_room(event.room_id, origin)`
`1284`	`1285`
`1285`	`1286`	`events = await filter_events_for_server(`
`1286`		`- self._storage_controllers, origin, [event]`
	`1287`	`+ self._storage_controllers, origin, self.server_name, [event]`
`1287`	`1288`	`)`
`1288`	`1289`	`event = events[0]`
`1289`	`1290`	`return event`
`@@ -1309,7 +1310,7 @@ async def on_get_missing_events(`
`1309`	`1310`	`)`
`1310`	`1311`
`1311`	`1312`	`missing_events = await filter_events_for_server(`
`1312`		`- self._storage_controllers, origin, missing_events`
	`1313`	`+ self._storage_controllers, origin, self.server_name, missing_events`
`1313`	`1314`	`)`
`1314`	`1315`
`1315`	`1316`	`return missing_events`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ def test_filtering(self) -> None:`
`61`	`61`
`62`	`62`	`filtered = self.get_success(`
`63`	`63`	`filter_events_for_server(`
`64`		`- self._storage_controllers, "test_server", events_to_filter`
	`64`	`+ self._storage_controllers, "test_server", "hs", events_to_filter`
`65`	`65`	`)`
`66`	`66`	`)`
`67`	`67`
`@@ -83,7 +83,7 @@ def test_filter_outlier(self) -> None:`
`83`	`83`	`self.assertEqual(`
`84`	`84`	`self.get_success(`
`85`	`85`	`filter_events_for_server(`
`86`		`- self._storage_controllers, "remote_hs", [outlier]`
	`86`	`+ self._storage_controllers, "remote_hs", "hs", [outlier]`
`87`	`87`	`)`
`88`	`88`	`),`
`89`	`89`	`[outlier],`
`@@ -94,7 +94,7 @@ def test_filter_outlier(self) -> None:`
`94`	`94`
`95`	`95`	`filtered = self.get_success(`
`96`	`96`	`filter_events_for_server(`
`97`		`- self._storage_controllers, "remote_hs", [outlier, evt]`
	`97`	`+ self._storage_controllers, "remote_hs", "local_hs", [outlier, evt]`
`98`	`98`	`)`
`99`	`99`	`)`
`100`	`100`	`self.assertEqual(len(filtered), 2, f"expected 2 results, got: {filtered}")`
`@@ -106,7 +106,7 @@ def test_filter_outlier(self) -> None:`
`106`	`106`	`# be redacted)`
`107`	`107`	`filtered = self.get_success(`
`108`	`108`	`filter_events_for_server(`
`109`		`- self._storage_controllers, "other_server", [outlier, evt]`
	`109`	`+ self._storage_controllers, "other_server", "local_hs", [outlier, evt]`
`110`	`110`	`)`
`111`	`111`	`)`
`112`	`112`	`self.assertEqual(filtered[0], outlier)`
`@@ -141,7 +141,7 @@ def test_erased_user(self) -> None:`
`141`	`141`	`# ... and the filtering happens.`
`142`	`142`	`filtered = self.get_success(`
`143`	`143`	`filter_events_for_server(`
`144`		`- self._storage_controllers, "test_server", events_to_filter`
	`144`	`+ self._storage_controllers, "test_server", "local_hs", events_to_filter`
`145`	`145`	`)`
`146`	`146`	`)`
`147`	`147`