State-reset and security mitigations.

Upgrade Ruma to present. The following are intentionally benign for activation in a later commit: - Hydra backports not default. - Room version 12 not default. - Room version 12 not listed as stable. Do not enable them manually or you can brick your database. Signed-off-by: Jason Volk <jason@zemos.net>
2025-06-29 03:33:29 +00:00
parent 2c6dd78502
commit 628597c318
134 changed files with 14961 additions and 4935 deletions
--- a/src/admin/debug/commands.rs
+++ b/src/admin/debug/commands.rs
@@ -87,9 +87,12 @@ pub(super) async fn parse_pdu(&self) -> Result {
 	}

 	let string = self.body[1..self.body.len().saturating_sub(1)].join("\n");
+	let rules = RoomVersionId::V6
+		.rules()
+		.expect("rules for V6 rooms");
 	match serde_json::from_str(&string) {
 		| Err(e) => return Err!("Invalid json in command body: {e}"),
-		| Ok(value) => match ruma::signatures::reference_hash(&value, &RoomVersionId::V6) {
+		| Ok(value) => match ruma::signatures::reference_hash(&value, &rules) {
 			| Err(e) => return Err!("Could not parse PDU JSON: {e:?}"),
 			| Ok(hash) => {
 				let event_id = OwnedEventId::parse(format!("${hash}"));
@@ -252,7 +255,6 @@ pub(super) async fn get_remote_pdu(
 		.sending
 		.send_federation_request(&server, ruma::api::federation::event::get_event::v1::Request {
 			event_id: event_id.clone(),
-			include_unredacted_content: None,
 		})
 		.await
 	{
--- a/src/admin/user/commands.rs
+++ b/src/admin/user/commands.rs
@@ -195,6 +195,7 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 			self.services
 				.admin
 				.make_user_admin(&user_id)
+				.boxed()
 				.await?;
 			warn!("Granting {user_id} admin privileges as the first user");
 		}
@@ -725,32 +726,38 @@ pub(super) async fn force_demote(&self, user_id: String, room_id: OwnedRoomOrAli
 		.lock(&room_id)
 		.await;

-	let room_power_levels: Option<RoomPowerLevelsEventContent> = self
+	let room_power_levels: Option<RoomPowerLevels> = self
 		.services
 		.rooms
 		.state_accessor
-		.room_state_get_content(&room_id, &StateEventType::RoomPowerLevels, "")
+		.get_power_levels(&room_id)
 		.await
 		.ok();

-	let user_can_demote_self = room_power_levels
+	let user_can_change_self = room_power_levels
 		.as_ref()
-		.is_some_and(|power_levels_content| {
-			RoomPowerLevels::from(power_levels_content.clone())
-				.user_can_change_user_power_level(&user_id, &user_id)
-		}) || self
-		.services
-		.rooms
-		.state_accessor
-		.room_state_get(&room_id, &StateEventType::RoomCreate, "")
-		.await
-		.is_ok_and(|event| event.sender() == user_id);
+		.is_some_and(|power_levels| {
+			power_levels.user_can_change_user_power_level(&user_id, &user_id)
+		});
+
+	let user_can_demote_self = user_can_change_self
+		|| self
+			.services
+			.rooms
+			.state_accessor
+			.room_state_get(&room_id, &StateEventType::RoomCreate, "")
+			.await
+			.is_ok_and(|event| event.sender() == user_id);

 	if !user_can_demote_self {
-		return Err!("User is not allowed to modify their own power levels in the room.",);
+		return Err!("User is not allowed to modify their own power levels in the room.");
 	}

-	let mut power_levels_content = room_power_levels.unwrap_or_default();
+	let mut power_levels_content: RoomPowerLevelsEventContent = room_power_levels
+		.map(TryInto::try_into)
+		.transpose()?
+		.unwrap_or_default();
+
 	power_levels_content.users.remove(&user_id);

 	let event_id = self
@@ -783,6 +790,7 @@ pub(super) async fn make_user_admin(&self, user_id: String) -> Result {
 	self.services
 		.admin
 		.make_user_admin(&user_id)
+		.boxed()
 		.await?;

 	self.write_str(&format!("{user_id} has been granted admin privileges.",))