Merge pull request from GHSA-vc7j-h8xg-fv5x

* Refuse to accept foreign users in OpenID responses * Make sure we correctly handle server names with colons in them --------- Co-authored-by: Tadeusz Sośnierz <[email protected]>
matrix-org · Jul 31, 2023 · 4c6723a · 4c6723a
1 parent cfc6358
commit 4c6723a
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/src/provisioning/api.ts b/src/provisioning/api.ts
@@ -388,6 +388,16 @@ export class ProvisioningApi {
                 throw new ApiError("Server did not respond with the correct sub information", ErrCode.BadOpenID);
             }
             const userId = response.data.sub;
+
+            const mxidMatch = userId.match(/([^:]+):(.+)/);
+            if (!mxidMatch) {
+                throw new ApiError("Server did not respond with a valid MXID", ErrCode.BadOpenID);
+            }
+            const [, _localpart, serverName] = mxidMatch;
+            if (serverName !== server) {
+                throw new ApiError("Server returned a MXID belonging to another homeserver", ErrCode.BadOpenID);
+            }
+
             const token = this.widgetTokenPrefix + uuid().replace(/-/g, "");
             const expiresTs = Date.now() + this.widgetTokenLifetimeMs;
             await this.store.createSession({