Merge pull request #2801 from matrix-org/rav/proposal/untrusted_event_data
MSC2801: Make it explicit that event bodies are untrusted datapull/977/head
commit
c9440665e8
@ -0,0 +1,190 @@
|
||||
# MSC2801: Make it explicit that event bodies are untrusted data
|
||||
|
||||
As the Matrix Specification stands today, it is easy for client developers to
|
||||
assume that all events will be structured as documented. For example, the
|
||||
`displayname` key of an [`m.room.member`
|
||||
event](https://matrix.org/docs/spec/client_server/r0.6.1#m-room-member) is
|
||||
specified to be "`string` or `null`"; and the `info` key of an [`m.image`
|
||||
message event](https://matrix.org/docs/spec/client_server/r0.6.1#m-image) must
|
||||
be a Javascript object.
|
||||
|
||||
In reality, these are not safe assumptions. This MSC proposes that the
|
||||
specification be updated to make it clear that developers should treat all
|
||||
event data as untrusted.
|
||||
|
||||
## Reasons why events may not match the specification
|
||||
|
||||
Firstly, let's examine the reasons why such malformed events can exist. Some of
|
||||
these reasons may appear to have trivial solutions; these are discussed below.
|
||||
|
||||
1. Most obviously, Synapse as it currently stands does very little validation
|
||||
of event bodies sent over the Client-Server API. There is nothing stopping
|
||||
any user sending a malformed `m.room.message` event with a simple `curl`
|
||||
command or Element-Web's `/devtools`.
|
||||
|
||||
Any event sent in this way will be returned to the clients of all the other
|
||||
users in the room.
|
||||
|
||||
2. Events may be encrypted. Any client implementing E2EE must be prepared to
|
||||
deal with any encrypted content, since by definition a server cannot
|
||||
validate it.
|
||||
|
||||
3. In order to allow the Matrix protocol to be extensible, server
|
||||
implementations must tolerate unknown event types, and allow them to be
|
||||
passed between clients. It is obvious that a pair of custom clients
|
||||
implementing a `com.example.special.event` event type cannot rely on a
|
||||
standard server implementation to do any validation for them.
|
||||
|
||||
However, this problem extends to event types and keys which have been added
|
||||
to the specification. For example, the [`m.room.encrypted` event
|
||||
type](https://matrix.org/docs/spec/client_server/r0.6.1#m-room-encrypted)
|
||||
was added in Client-Server API r0.4.0. It therefore follows that a server
|
||||
implementing CS-API r0.3.0 would have no way to validate an
|
||||
`m.room.encrypted` event, so if a client is connected to such a server, it
|
||||
could receive malformed events.
|
||||
|
||||
4. To extend from point 3, the problem is not even resolved by upgrading the
|
||||
server. There may now be rooms which contain historical events which would
|
||||
no longer be accepted, but these will still be served by the server.
|
||||
|
||||
This problem also applies to non-room data such as account data. For
|
||||
example, Client-Server API r0.6.0 added the [`m.identity_server` account
|
||||
data event
|
||||
type](https://matrix.org/docs/spec/client_server/r0.6.1#m-identity-server).
|
||||
It is possible, if unlikely, that a client could have uploaded an
|
||||
`m.identity_server` event before the administrator upgraded the server.
|
||||
|
||||
5. Event redaction removes certain keys from an event. This is a bit of a
|
||||
trivial case, though it is worth noting that the rules for event redaction
|
||||
vary between room versions, so it's possible to see a variety of "partial"
|
||||
events.
|
||||
|
||||
6. All the cases above can occur without federation. Federation adds
|
||||
additional complexities due to the structure of Matrix rooms. In
|
||||
particular, a server implementation cannot simply ignore any malformed
|
||||
events since such events may either be critical to the structure of the
|
||||
room (for example, they may be `m.room.membership` events), or at the very
|
||||
least ignoring them would leave "holes" in the event graph which would
|
||||
prevent correct back-pagination.
|
||||
|
||||
## Ideas for mitigating the problem
|
||||
|
||||
The problems above appear to have some easy solutions. Let's describe some of
|
||||
those ideas, before considering the fundamental problem that none of them can
|
||||
solve.
|
||||
|
||||
### Validate all events when they are submitted
|
||||
|
||||
In this idea, we would require all server implementations to strictly validate
|
||||
any data which is sent over the Client-Server API, to ensure that it complied
|
||||
with the specified formats.
|
||||
|
||||
This evidently solves problem 1 above, in that it would prevent local users from
|
||||
creating malformed events of any event types that the server supports; however,
|
||||
it would do nothing to address any of the other problems.
|
||||
|
||||
### Validate events at the point they are served to a client
|
||||
|
||||
We could require that server implementations validate any data that they are
|
||||
about to serve to a client; we might recommend that malformed data be stripped
|
||||
out of the response, or redacted, or similar.
|
||||
|
||||
It is worth mentioning that this would be tricky to implement efficiently on
|
||||
the server side, but it at least helps address most of the problems above, such
|
||||
as historical data, or malformed events received over federation.
|
||||
|
||||
### Have servers re-validate data on upgrade
|
||||
|
||||
Similar to the previous idea, but rather than validating data each time it is
|
||||
served to a client, any stored data could be re-validated to check that it
|
||||
complies with new validation requirements.
|
||||
|
||||
This could be more efficient in the case that changes to validation rules are
|
||||
rare, but it could still be a huge amount of data processing on a large server.
|
||||
|
||||
### Create new room versions which require events to be well-formed
|
||||
|
||||
As outlined above, one of the big problems in this area is how we deal with
|
||||
events sent over federation; in particular, if subsets of the servers in a room
|
||||
have different ideas as to which events are "valid", then their concepts of the
|
||||
room state can begin to drift, and the room can eventually become
|
||||
"split-brained". This makes it hard to simply say, for example,
|
||||
"`m.room.member` events with a non-string `displayname` are invalid and should
|
||||
not form part of the room state": we have a risk that some servers will accept
|
||||
the event, and some will not.
|
||||
|
||||
One approach to solving this is via [room
|
||||
versions](https://matrix.org/docs/spec/index#room-versions). By specifying that
|
||||
a change of rules only applies for a future room version, we can eliminate this
|
||||
potential disagreement.
|
||||
|
||||
The process of changing a room from one version to another is intrusive, not
|
||||
least because it requires that all servers in a room support the new room
|
||||
version (or risk being locked out). For that reason, it is extremely
|
||||
undesirable that any new feature require a new room version: whenever possible,
|
||||
it should be possible to use new features in existing rooms. It therefore
|
||||
follows that we cannot rely on room versions to provide validation of event
|
||||
data.
|
||||
|
||||
### Create a single new room version which applies all event validation rules
|
||||
|
||||
This idea is included for completeness, though it is unclear how it would work
|
||||
in practice.
|
||||
|
||||
It has been suggested that we create a new room version which explicitly states
|
||||
that events which fail the current event schema, whatever that is at that
|
||||
moment in time, should be rejected.
|
||||
|
||||
Let's imagine that in future, the `m.room.member` event schema is extended to
|
||||
include an optional `location` key, which, if given, must be a string. The
|
||||
implication of this idea is that servers should reject any `m.room.member`
|
||||
event whose `location` is not a string. We now have a problem: any servers in
|
||||
the room which are updated to the latest spec will reject such malformed
|
||||
events, but any other servers yet to be upgraded will allow it. So is that user
|
||||
in the room or not?
|
||||
|
||||
Even if all the servers in the room can be upgraded at once, what about any
|
||||
`m.room.member` events which were sent before the rule change?
|
||||
|
||||
## The fundamental problem
|
||||
|
||||
The ideas above all mitigate the problems discussed earlier to a greater or
|
||||
lesser extent, and may indeed be worth doing on their own merits. However, none
|
||||
of them can address the problem of outdated server implementations.
|
||||
|
||||
For example, consider the case of a new key being added to an event body, say
|
||||
`m.relates_to`. Now, we may have decided as above that all new specced keys
|
||||
must be validated by the server, so `vN+1` of Synapse dutifully implements such
|
||||
validation and refuses to accept events with a malformed `m.relates_to`.
|
||||
|
||||
The problem comes for users whose server is still Synapse `vN`. It knows
|
||||
nothing of `m.relates_to`, so accepts and passes it through even if
|
||||
malformed. The only potential solution is for clients seeking to implement
|
||||
`m.relates_to` to refuse to talk to servers which do not declare support for
|
||||
it.
|
||||
|
||||
However, this is an entirely client-side feature: it is illogical to require
|
||||
that servers must be upgraded before it can be used. Consider that the hosted
|
||||
element-web at `https://app.element.io` is upgraded to support the new feature;
|
||||
in this scenario, that would lock out any user whose homeserver had not yet
|
||||
been upgraded. This is not an acceptable user experience.
|
||||
|
||||
In short, we are left with the reality that clients must still handle the
|
||||
unvalidated data.
|
||||
|
||||
## Conclusions
|
||||
|
||||
Short of closely coupling server and client versions - which violates the
|
||||
fundamental ethos of the Matrix project - there is nothing that can completely
|
||||
prevent clients from having to handle untrusted data. In addition, encrypted
|
||||
events eliminate any possibility of server-side validation.
|
||||
|
||||
With that in mind, the advantages of the ideas above are diminished. If clients
|
||||
must handle untrusted data in some circumstances, why not in all? "You can
|
||||
trust the content of this data structure, provided you have checked that the
|
||||
server knows how to validate it, in which case you need to treat it as
|
||||
untrusted" is not a useful message for a client developer.
|
||||
|
||||
It may be possible to assert that specific, known cases can be treated as
|
||||
trusted data, but these should be called out as specific cases. The default
|
||||
message should be that clients must treat all event data as untrusted.
|
Loading…
Reference in New Issue