User can add tag to a room that they are not member of

[lamoboos223]

Description

There is no validation on tag creation on the user room membership. Hence, a user can create a tag to a room that they are not member of and flood the db with trivial data.

Steps to reproduce

PUT /<room_id_user_is_not_member_of>/tags/<tag_name>

Response: 200 OK. And if you check the db you will see the tag added there.

Proposed solution: add membership check step before invoking the create tag code.

Homeserver

Localhost

Synapse Version

I’m using 1.80 but I see it’s not patched in the latest version as well

Installation Method

Debian packages from packages.matrix.org

Database

Postgresql

Workers

Single process

Platform

MacOS

Configuration

NA

Relevant log output

NA

Anything else that would be useful to know?

I have patched it on my codebase, and I would love to contribute to this project if you allow me 🙏🏻

[erikjohnston]

Tags are local to the user, so its not really a problem if the user tags rooms they're not in. Though for sanity's sake it's probably useful to check, as there's no reason to tag random rooms.

[lamoboos223]

Exactly!

let me get start on this improvement @erikjohnston 🙏🏻