From 28235547d2b3abed43f8a626227e3b7fa5afa55d Mon Sep 17 00:00:00 2001 From: Will Hunt Date: Thu, 3 Nov 2022 12:55:48 +0000 Subject: [PATCH] Prevent users without permissions from inviting the bot (#561) * Add filter * tweak * changelog * Kick the right user * Update src/Bridge.ts Co-authored-by: Andrew Ferrazzutti * Update src/Bridge.ts Co-authored-by: Andrew Ferrazzutti * Update changelog.d/561.bugfix Co-authored-by: Andrew Ferrazzutti * Cleanup underlyingClient Co-authored-by: Andrew Ferrazzutti --- changelog.d/561.bugfix | 1 + src/Bridge.ts | 18 ++++++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 changelog.d/561.bugfix diff --git a/changelog.d/561.bugfix b/changelog.d/561.bugfix new file mode 100644 index 00000000..28e068c9 --- /dev/null +++ b/changelog.d/561.bugfix @@ -0,0 +1 @@ +The bot no longer accepts invites from users who do not have permission to use it. \ No newline at end of file diff --git a/src/Bridge.ts b/src/Bridge.ts index 392ae7f1..3450546b 100644 --- a/src/Bridge.ts +++ b/src/Bridge.ts @@ -97,7 +97,7 @@ export class Bridge { while(joinedRooms === undefined) { try { log.info("Connecting to homeserver and fetching joined rooms.."); - joinedRooms = await this.as.botIntent.underlyingClient.getJoinedRooms(); + joinedRooms = await this.as.botClient.getJoinedRooms(); log.debug(`Bridge bot is joined to ${joinedRooms.length} rooms`); } catch (ex) { // This is our first interaction with the homeserver, so wait if it's not ready yet. @@ -683,11 +683,11 @@ export class Bridge { // TODO: Refactor this to be a connection try { - let accountData = await this.as.botIntent.underlyingClient.getSafeRoomAccountData( + let accountData = await this.as.botClient.getSafeRoomAccountData( BRIDGE_ROOM_TYPE, roomId, ); if (!accountData) { - accountData = await this.as.botIntent.underlyingClient.getSafeRoomAccountData( + accountData = await this.as.botClient.getSafeRoomAccountData( LEGACY_BRIDGE_ROOM_TYPE, roomId, ); if (!accountData) { @@ -701,12 +701,12 @@ export class Bridge { let notifContent; try { - notifContent = await this.as.botIntent.underlyingClient.getRoomStateEvent( + notifContent = await this.as.botClient.getRoomStateEvent( roomId, NotifFilter.StateType, "", ); } catch (ex) { try { - notifContent = await this.as.botIntent.underlyingClient.getRoomStateEvent( + notifContent = await this.as.botClient.getRoomStateEvent( roomId, NotifFilter.LegacyStateType, "", ); } @@ -779,8 +779,14 @@ export class Bridge { log.info(`Got invite roomId=${roomId} from=${event.sender} to=${event.state_key}`); // Room joins can fail over federation if (event.state_key !== this.as.botUserId) { - return this.as.botIntent.underlyingClient.kickUser(this.as.botUserId, roomId, "Bridge does not support DMing ghosts"); + return this.as.botClient.kickUser(event.state_key, roomId, "Bridge does not support DMing ghosts"); } + + // Don't accept invites from people who can't do anything + if (!this.config.checkPermissionAny(event.sender, BridgePermissionLevel.login)) { + return this.as.botClient.kickUser(this.as.botUserId, roomId, "You do not have permission to invite this bot."); + } + await retry(() => this.as.botIntent.joinRoom(roomId), 5); if (event.content.is_direct) { const room = await this.setUpAdminRoom(roomId, {admin_user: event.sender}, NotifFilter.getDefaultContent());