From b8ce84301fa279abe3a4b67f5affcf25690f0fe1 Mon Sep 17 00:00:00 2001
From: gnuxie <Gnuxie@protonmail.com>
Date: Tue, 17 Dec 2024 23:30:26 +0000
Subject: [PATCH] Throw when we're given invalid event/room ids in report
 forwarding.

https://github.com/the-draupnir-project/Draupnir/issues/643.
---
 src/webapis/WebAPIs.ts | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/webapis/WebAPIs.ts b/src/webapis/WebAPIs.ts
index e6d33512..ab6a8ccc 100644
--- a/src/webapis/WebAPIs.ts
+++ b/src/webapis/WebAPIs.ts
@@ -16,6 +16,8 @@ import { IConfig } from "../config";
 import {
   StringRoomID,
   StringEventID,
+  isStringRoomID,
+  isStringEventID,
 } from "@the-draupnir-project/matrix-basic-types";
 import { Logger, Task } from "matrix-protection-suite";
 
@@ -87,12 +89,24 @@ export class WebAPIs {
             "X-Requested-With, Content-Type, Authorization, Date"
           );
           response.header("Access-Control-Allow-Methods", "POST, OPTIONS");
+          const roomID = request.params.room_id;
+          const eventID = request.params.event_id;
+          if (!isStringRoomID(roomID)) {
+            throw new TypeError(
+              `Invalid roomID provided when processing a report, check your webproxy: ${roomID}`
+            );
+          }
+          if (!isStringEventID(eventID)) {
+            throw new TypeError(
+              `Invalid eventID provided when processing a report, check your webproxy: ${eventID}`
+            );
+          }
           void Task(
             this.handleReport({
               request,
               response,
-              roomID: request.params.room_id as StringRoomID,
-              eventID: request.params.event_id as StringEventID,
+              roomID,
+              eventID,
             })
           );
         }