From 69c8d226b81bad0d4d3131faada525f7cb20cb2f Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Thu, 21 May 2026 14:10:51 +0100
Subject: [PATCH] Ensure we don't have stray auth_events or event_id fields
 unexpectedly set

---
 rust/src/events/formats/v2v3.rs     | 12 ++++++++++++
 rust/src/events/formats/v4.rs       |  5 +++++
 rust/src/events/formats/vmsc4242.rs | 12 +++++++++++-
 rust/src/events/mod.rs              |  3 +++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/rust/src/events/formats/v2v3.rs b/rust/src/events/formats/v2v3.rs
index ae5726e2bd..52c9085428 100644
--- a/rust/src/events/formats/v2v3.rs
+++ b/rust/src/events/formats/v2v3.rs
@@ -29,8 +29,11 @@
 //! [`SimpleAuthPrevEvents`] is shared with [`v4`](super::v4) since the
 //! flat-list encoding carries forward unchanged.
 
+use anyhow::{bail, Error};
 use serde::{Deserialize, Serialize};
 
+use crate::events::formats::EventCommonFields;
+
 /// Shared flat-list encoding of `auth_events` and `prev_events`, reused
 /// by every format from v2/v3 onwards.
 #[derive(Serialize, Deserialize)]
@@ -48,6 +51,15 @@ pub struct EventFormatV2V3 {
 }
 
 impl EventFormatV2V3 {
+    pub fn validate(&self, common_fields: &EventCommonFields) -> Result<(), Error> {
+        // Ensure that we don't have an event_id set.
+        if common_fields.other_fields.contains_key("event_id") {
+            bail!("v2/v3 events must not have an explicit event_id");
+        }
+
+        Ok(())
+    }
+
     pub fn auth_event_ids(&self) -> Vec<String> {
         self.auth_prev_events.auth_events.clone()
     }
diff --git a/rust/src/events/formats/v4.rs b/rust/src/events/formats/v4.rs
index 858908bb53..8282c3f0f4 100644
--- a/rust/src/events/formats/v4.rs
+++ b/rust/src/events/formats/v4.rs
@@ -48,6 +48,11 @@ impl EventFormatV4 {
     pub fn validate(&self, common_fields: &EventCommonFields) -> Result<(), Error> {
         validate_optional_room_id(self.room_id.as_deref(), common_fields)?;
 
+        // Ensure that we don't have an event_id set.
+        if common_fields.other_fields.contains_key("event_id") {
+            bail!("v4 events must not have an explicit event_id");
+        }
+
         Ok(())
     }
 
diff --git a/rust/src/events/formats/vmsc4242.rs b/rust/src/events/formats/vmsc4242.rs
index aab4d486f9..8efe0ca380 100644
--- a/rust/src/events/formats/vmsc4242.rs
+++ b/rust/src/events/formats/vmsc4242.rs
@@ -26,6 +26,7 @@
 
 use std::borrow::Cow;
 
+use anyhow::bail;
 use anyhow::Error;
 use pyo3::exceptions::PyRuntimeError;
 use pyo3::PyResult;
@@ -50,6 +51,15 @@ impl EventFormatVMSC4242 {
     pub fn validate(&self, common_fields: &EventCommonFields) -> Result<(), Error> {
         validate_optional_room_id(self.room_id.as_deref(), common_fields)?;
 
+        // Ensure that we don't have any `auth_events` or `event_id` fields
+        // set.
+        if common_fields.other_fields.contains_key("auth_events") {
+            bail!("MSC4242 events must not have explicit auth_events");
+        }
+        if common_fields.other_fields.contains_key("event_id") {
+            bail!("MSC4242 events must not have an explicit event_id");
+        }
+
         Ok(())
     }
 
@@ -72,7 +82,7 @@ impl EventFormatVMSC4242 {
             && auth_event_ids.is_empty()
         {
             return Err(PyRuntimeError::new_err(format!(
-                "auth_event_ids has not been calculated: {}",
+                "auth_event_ids has not been calculated : {}",
                 event.event_id
             )));
         }
diff --git a/rust/src/events/mod.rs b/rust/src/events/mod.rs
index 4c96a3a4f3..8fea2e21a5 100644
--- a/rust/src/events/mod.rs
+++ b/rust/src/events/mod.rs
@@ -525,6 +525,9 @@ fn depythonize_event_dict(
         }
         EventFormatVersions::ROOM_V3 | EventFormatVersions::ROOM_V4_PLUS => {
             let event_format: FormattedEvent<EventFormatV2V3> = depythonize(event_dict)?;
+            event_format
+                .specific_fields
+                .validate(&event_format.common_fields)?;
             event_format.into()
         }
         EventFormatVersions::ROOM_V11_HYDRA_PLUS => {