ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
6060 commits 143 branches 32 tags 16 MiB
Commit graph

1171 commits

Author SHA1 Message Date
timedout
5ac82f36f3
feat: Consolidate antispam checks into a service 
Also adds support for the spam checker join rule, and Draupnir callbacks
 2026-01-05 20:10:28 +00:00
timedout
c249dd992e
feat: Add support for automatically rejecting pending invites 2026-01-05 20:10:28 +00:00
timedout
0956779802
feat: Add Meowlnir invite interception support 
Co-authored-by: Jade Ellis <jade@ellis.link>
 2026-01-05 20:10:27 +00:00
timedout
7502a944d7
feat: Add user locking and unlocking commands and functionality 
Also corrects the response code returned by UserSuspended
 2026-01-05 19:30:16 +00:00
Jade Ellis
aed15f246a
refactor: Clean up logging issues 
Primary issues: Double escapes (debug fmt), spans without levels
 2026-01-05 18:28:57 +00:00
timedout
27d6604d14
fix: Use a timeout instead of deadline 2026-01-03 17:08:47 +00:00
timedout
1c7bd2f6fa
style: Remove unnecessary then() calls in chain 2026-01-03 16:22:49 +00:00
timedout
56d7099011
style: Include errors in key claim response too 2026-01-03 16:10:06 +00:00
timedout
bc426e1bfc
fix: Apply client-requested timeout to federated key queries 
Also parallelised federation calls in related functions
 2026-01-03 16:05:05 +00:00
timedout
bf200ad12d
fix: Resolve compile errors 
me and cargo check are oops now
 2025-12-31 20:01:29 +00:00
timedout
44851ee6a2
feat: Fall back to remote room summary if local fails 2025-12-31 20:01:29 +00:00
timedout
a7e6e6e83f
feat: Allow local server admins to bypass summary visibility checks 
feat: Allow local server admins to bypass summary visibility checks

Also improve error messages so they aren't so damn long.
 2025-12-31 20:01:29 +00:00
Terry
f8c1e9bcde
feat: Config defined admin list 
Closes !1246
 2025-12-31 19:35:40 +00:00
Olivia Lee
12aecf8091
validate membership events returned by remote servers 
This fixes a vulnerability where an attacker with a malicious remote
server and a user on the local server can trick the local server into
signing arbitrary events. The attacker issue a remote leave as the local
user to a room on the malicious server. Without any validation of the
make_leave response, the local server would sign the attacker-controlled
event and pass it back to the malicious server with send_leave.

The join and knock endpoints are also fixed in this commit, but are less
useful for exploitation because the local server replaces the "content"
field returned by the remote server. Remote invites are unaffected
because we already check that the event returned from /invite has the
same event ID as the event passed to it.

Co-authored-by: timedout <git@nexy7574.co.uk>
Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Ginger <ginger@gingershaped.computer>
 2025-12-30 15:24:45 +00:00
timedout
7350266c80
fix: Don't allow admin room upgrades and fix power levels during upgrade 2025-12-27 04:05:26 +00:00
Jade Ellis
8fd15f26ce
style: Fix clippy 2025-12-21 17:12:36 +00:00
Jade Ellis
6f67c27538
fix: Ensure that room ID is present on state events sent to client 
routes

Mostly fixes !1094

The remaining issue is federation routes
 2025-12-21 17:12:35 +00:00
Jade Ellis
8586d747d1
feat: Run visibility checks on bundled relations 2025-12-21 17:12:35 +00:00
Jade Ellis
11012a9ce1
fix: Always return the same 404 message in context 2025-12-21 17:12:35 +00:00
Jade Ellis
07be190507
fix: Return 404 when event is not accessible 2025-12-21 17:12:35 +00:00
Jade Ellis
ae4acc9568
fix: Don't incorrectly add thread root to relation response 2025-12-21 17:12:35 +00:00
Jade Ellis
f83ddecd8c
refactor(perf): Push down visibility check after limit 2025-12-21 17:12:34 +00:00
Jade Ellis
8d3e4eba99
fix: Add aggregations to the search endpoint 2025-12-21 17:12:34 +00:00
Jade Ellis
b61010da47
feat: Add bundled aggregations support 
Add support for the m.replace and m.reference bundled
aggregations.
This should fix plenty of subtle client issues.
Threads are not included in the new code as they have
historically been written to the database. Replacing the
old system would result in issues when switching away from
continuwuity, so saved for later.
Some TODOs have been left re event visibility and ignored users.
These should be OK for now, though.
 2025-12-21 17:12:34 +00:00
Jade Ellis
987c5eeb03
refactor: Promote handling unsigned data out of timeline 
Also fixes:
- Transaction IDs leaking in event route
- Age not being set for event relations or threads
- Both of the above for search results

Notes down concern with relations table
 2025-12-21 17:12:33 +00:00
timedout
7fa4fa9862
fix: Also check sender origin 2025-12-21 10:58:50 +00:00
timedout
b2bead67ac
fix: Apply additional validation to invites 2025-12-21 10:10:54 +00:00
timedout
4f198fb4ef
fix: Enforce limits when joining rooms 2025-12-13 22:17:47 +00:00
Ginger
cf8d8e4ea6
chore: Post-rebase cleanup 2025-12-09 03:25:04 +00:00
timedout
393d341f07
perf: Throttle frequent device metadata updates & centralise site 2025-12-09 03:25:03 +00:00
timedout
ba55dffa0e
perf: Don't increment the device list version when updating local info 2025-12-09 03:25:03 +00:00
timedout
f3115e14ab
feat: Update device metadata upon hitting hot endpoints 2025-12-09 03:25:03 +00:00
Ginger
53b06a7918 chore(sync/v3): Remove unused imports 2025-12-07 19:58:24 +00:00
Ginger
fafc1d3fd1 fix(sync/v3): Don't send rejected invites on initial syncs 2025-12-07 19:58:24 +00:00
Ginger
dbc74272c3 refactor(sync/v3): Extract left room timeline logic into its own function 2025-12-07 19:58:24 +00:00
Ginger
f11caac05e fix(sync/v3): Don't send dummy leaves on an initial sync 2025-12-07 19:58:24 +00:00
Ginger
e581face44 chore: Formatting 2025-12-07 19:58:24 +00:00
ginger
037ba41adb fix: Nitpicky comment reword 2025-12-07 19:58:24 +00:00
Ginger
7dae118af9 chore(sync/v3): More goat sacrifices 2025-12-07 19:58:24 +00:00
Ginger
07dfc5528d refactor(sync/v3): Split load_joined_room into smaller functions 2025-12-07 19:58:24 +00:00
ginger
3f4749a796 fix: Correct error message 2025-12-07 19:58:24 +00:00
Ginger
be8d72fafc fix(sync/v3): Add a workaround for matrix-js-sdk/5071 2025-12-07 19:58:24 +00:00
Ginger
0008709481 fix(sync/v3): Stop ignoring leave cache deserialization failures 2025-12-07 19:58:24 +00:00
Ginger
ee51d4357f fix(sync/v3): Do not include the last membership event when syncing left rooms 2025-12-07 19:58:24 +00:00
Ginger
800ac8d1f1 fix(sync/v3): Fix invite filtering for federated invites 2025-12-07 19:58:24 +00:00
Ginger
872f5bf077 feat(sync/v3): Remove TL size config option in favor of using the sync filter 2025-12-07 19:58:24 +00:00
Ginger
992217d644 chore(sync/v3): Fix clippy lints 2025-12-07 19:58:24 +00:00
Ginger
4fb4397a9f fix(sync/v3): Remove mysterious membership event manipulation code 2025-12-07 19:58:24 +00:00
Ginger
61b6947e88 fix(sync/v3): Properly sync room heroes 2025-12-07 19:58:24 +00:00
Ginger
876d3faec4 chore(sync/v3): Use "build_*" terminology instead of "calculate_*" 2025-12-07 19:58:24 +00:00