fix: some edge-cases causing panics

- if servers don't send signatures, it could cause a panic - clients sending invalid or non-canonical json could cause a panic
8 months ago · a7513cef7f
2 changed files with 13 additions and 12 deletions
--- a/src/service/rooms/helpers/mod.rs
+++ b/src/service/rooms/helpers/mod.rs
@ -141,17 +141,17 @@ impl Service {
                    ));
                }

-                match signed_value["signatures"]
-                    .as_object()
-                    .ok_or(Error::BadRequest(
-                        ErrorKind::InvalidParam,
-                        "Server sent invalid signatures type",
-                    ))
+                match signed_value
+                    .get("signatures")
+                    .ok_or("server did not return any signatures")
+                    .and_then(|signatures| {
+                        signatures
+                            .as_object()
+                            .ok_or("Server sent invalid signatures type")
+                    })
                    .and_then(|e| {
-                        e.get(remote_server.as_str()).ok_or(Error::BadRequest(
-                            ErrorKind::InvalidParam,
-                            "Server did not send its signature",
-                        ))
+                        e.get(remote_server.as_str())
+                            .ok_or("Server did not send its signature")
                    }) {
                    Ok(signature) => {
                        join_event
--- a/src/service/rooms/timeline/mod.rs
+++ b/src/service/rooms/timeline/mod.rs
@ -783,8 +783,9 @@ impl Service {
        }

        // Hash and sign
-        let mut pdu_json =
-            utils::to_canonical_object(&pdu).expect("event is valid, we just created it");
+        let mut pdu_json = utils::to_canonical_object(&pdu).map_err(|_| {
+            Error::BadRequest(ErrorKind::InvalidParam, "Event content provided is invalid")
+        })?;

        pdu_json.remove("event_id");