Improve middleware for rejecting unknown Client-Server API versions

Related to: - https://matrix.org/blog/2021/11/09/matrix-v-1-1-release - matrix-org/synapse#11318 - spantaleev/matrix-docker-ansible-deploy#1404 Our `denyUnsupportedApiVersionsMiddleware` middleware was trying to match `rXXX` versions and reject unsupported ones (anything besides `r0`), but now that the prefix is changing (`vXXX`) we were not matching the new one correctly and were letting `vXXX` requests go through. This is not a security issue yet, as no stable version of a homeserver supports v3-prefixed APIs yet, but an upcoming Synapse v1.48.0 is slated to add support for those. An old matrix-corporal version (lacking this patch) combined with Synapse v1.48.0+ will let such v3 requests go through, effectively circuimventing matrix-corporal's protections.
devture · Nov 19, 2021 · 5562258 · 5562258
1 parent 7aeffe3
commit 5562258
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/corporal/httpgateway/middleware.go b/corporal/httpgateway/middleware.go
@@ -13,11 +13,14 @@ var regexApiVersionFromUri *regexp.Regexp
 var supportedApiVersions []string
 
 func init() {
-	regexApiVersionFromUri = regexp.MustCompile("/_matrix/client/r([^/]+)")
+	// We'd like to match things like:
+	// - `/_matrix/client/r0`
+	// - `/_matrix/client/v3` (and other v-prefixed versions in the future)
+	// but not match things like: `/_matrix/client/versions`
+	regexApiVersionFromUri = regexp.MustCompile(`/_matrix/client/((?:r|v)\d+)`)
 
 	supportedApiVersions = []string{
-		//We only support r0 for the time being.
-		"0",
+		"r0",
 	}
 }
 
@@ -30,7 +33,7 @@ func denyUnsupportedApiVersionsMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		releaseVersion := matches[1] // Something like `0`
+		releaseVersion := matches[1] // Something like `r0`
 
 		if util.IsStringInArray(releaseVersion, supportedApiVersions) {
 			// We do support this version and can safely let our gateway