frostd: validate sender and recipient in send and receive

ZcashFoundation · Feb 18, 2025 · 6f8e725 · 6f8e725
1 parent f4d53a5
commit 6f8e725
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 9 deletions.
diff --git a/frostd/src/functions.rs b/frostd/src/functions.rs
@@ -184,17 +184,33 @@ pub(crate) async fn send(
     } else {
         args.recipients.into_iter().map(|p| p.0).collect()
     };
-    for pubkey in &recipients {
-        session
-            .queue
-            .entry(pubkey.clone())
-            .or_default()
-            .push_back(Msg {
-                sender: user.pubkey.clone(),
-                msg: args.msg.clone(),
-            });
+
+    // Check if both the sender and the recipients are in the session
+    // Note that we need to jump through all these hoops involving
+    // `in_session` due to the get_mut issue mentioned above. We can't return
+    // an error until we reinsert the session back into the map.
+    let in_session = (session.pubkeys.contains(&user.pubkey)
+        || session.coordinator_pubkey == user.pubkey)
+        && recipients
+            .iter()
+            .all(|p| p.is_empty() || session.pubkeys.contains(p));
+
+    if in_session {
+        for pubkey in &recipients {
+            session
+                .queue
+                .entry(pubkey.clone())
+                .or_default()
+                .push_back(Msg {
+                    sender: user.pubkey.clone(),
+                    msg: args.msg.clone(),
+                });
+        }
     }
     sessions.insert(args.session_id, session);
+    if !in_session {
+        return Err(AppError::NotInSession);
+    }
 
     Ok(())
 }
@@ -217,6 +233,11 @@ pub(crate) async fn receive(
         .get(&args.session_id)
         .ok_or(AppError::SessionNotFound)?;
 
+    // Check if both the sender and the recipients are in the session
+    if !session.pubkeys.contains(&user.pubkey) && session.coordinator_pubkey != user.pubkey {
+        return Err(AppError::NotInSession);
+    }
+
     let pubkey = if user.pubkey == session.coordinator_pubkey && args.as_coordinator {
         Vec::new()
     } else {

diff --git a/frostd/src/lib.rs b/frostd/src/lib.rs
@@ -89,13 +89,16 @@ pub(crate) enum AppError {
     SessionNotFound,
     #[error("user is not the coordinator")]
     NotCoordinator,
+    #[error("user is not part of the given session")]
+    NotInSession,
 }
 
 // These make it easier to clients to tell which error happened.
 pub const INVALID_ARGUMENT: usize = 1;
 pub const UNAUTHORIZED: usize = 2;
 pub const SESSION_NOT_FOUND: usize = 3;
 pub const NOT_COORDINATOR: usize = 4;
+pub const NOT_IN_SESSION: usize = 5;
 
 impl AppError {
     pub fn error_code(&self) -> usize {
@@ -104,6 +107,7 @@ impl AppError {
             AppError::Unauthorized => UNAUTHORIZED,
             AppError::SessionNotFound => SESSION_NOT_FOUND,
             AppError::NotCoordinator => NOT_COORDINATOR,
+            AppError::NotInSession => NOT_IN_SESSION,
         }
     }
 }

diff --git a/frostd/tests/integration_tests.rs b/frostd/tests/integration_tests.rs
@@ -374,6 +374,49 @@ async fn test_main_router<
         }
     }
 
+    // Failure tests
+
+    // Create a signing session for tests, without Bob
+    let res = server
+        .post("/create_new_session")
+        .authorization_bearer(alice_token)
+        .json(&frostd::CreateNewSessionArgs {
+            pubkeys: vec![frostd::PublicKey(alice_keypair.public.clone())],
+            message_count: 2,
+        })
+        .await;
+    res.assert_status_ok();
+    let r: frostd::CreateNewSessionOutput = res.json();
+    let session_id = r.session_id;
+
+    // Check if sending to a user not in the session fails
+    let res = server
+        .post("/send")
+        .authorization_bearer(alice_token)
+        .json(&frostd::SendArgs {
+            session_id,
+            recipients: vec![frostd::PublicKey(bob_keypair.public.clone())],
+            msg: vec![],
+        })
+        .await;
+    res.assert_status_internal_server_error();
+    let r: frostd::Error = res.json();
+    assert_eq!(r.code, frostd::NOT_IN_SESSION);
+
+    // Check if sending as a user not in the session fails
+    let res = server
+        .post("/send")
+        .authorization_bearer(bob_token)
+        .json(&frostd::SendArgs {
+            session_id,
+            recipients: vec![frostd::PublicKey(alice_keypair.public.clone())],
+            msg: vec![],
+        })
+        .await;
+    res.assert_status_internal_server_error();
+    let r: frostd::Error = res.json();
+    assert_eq!(r.code, frostd::NOT_IN_SESSION);
+
     Ok(())
 }