diff --git a/src/m2d/converters/event-to-message.js b/src/m2d/converters/event-to-message.js index e889fc7..3cf08cf 100644 --- a/src/m2d/converters/event-to-message.js +++ b/src/m2d/converters/event-to-message.js @@ -539,15 +539,15 @@ async function eventToMessage(event, guild, di) { if (event.type === "m.room.message" && (event.content.msgtype === "m.file" || event.content.msgtype === "m.video" || event.content.msgtype === "m.audio" || event.content.msgtype === "m.image")) { content = "" const filename = event.content.filename || event.content.body - if ("url" in event.content) { - // Unencrypted - attachments.push({id: "0", filename}) - pendingFiles.push({name: filename, mxc: event.content.url}) - } else { + if ("file" in event.content) { // Encrypted assert.equal(event.content.file.key.alg, "A256CTR") attachments.push({id: "0", filename}) pendingFiles.push({name: filename, mxc: event.content.file.url, key: event.content.file.key.k, iv: event.content.file.iv}) + } else { + // Unencrypted + attachments.push({id: "0", filename}) + pendingFiles.push({name: filename, mxc: event.content.url}) } // Check if we also need to process a text event for this image - if it has a caption that's different from its filename if ((event.content.body && event.content.filename && event.content.body !== event.content.filename) || event.content.formatted_body) { diff --git a/src/m2d/converters/event-to-message.test.js b/src/m2d/converters/event-to-message.test.js index 70853aa..3d1c918 100644 --- a/src/m2d/converters/event-to-message.test.js +++ b/src/m2d/converters/event-to-message.test.js @@ -3956,6 +3956,91 @@ test("event2message: encrypted image attachments work", async t => { ) }) +test("event2message: evil encrypted image attachment works", async t => { + t.deepEqual( + await eventToMessage({ + sender: "@austin:tchncs.de", + type: "m.room.message", + content: { + body: "Screenshot 2025-06-29 at 13.36.46.png", + file: { + hashes: { + sha256: "Vh1apd8wSFu/BpUdQbIrKUzFB0Uu+l1octgZL+aVGTQ" + }, + iv: "sd33K7pSZNMAAAAAAAAAAA", + key: { + alg: "A256CTR", + ext: true, + k: "-nyqk1eqI-g-ND59P9qHp310-Qyc2A5gSAYm1BxopSg", + key_ops: [ + "encrypt", + "decrypt" + ], + kty: "oct" + }, + url: "mxc://tchncs.de/eac5f83fa97cd74062daf75dfa04d6e5356897281939377544214085632", + v: "v2" + }, + info: { + h: 682, + mimetype: "image/png", + "org.matrix.msc4230.is_animated": false, + size: 1813154, + thumbnail_file: { + hashes: { + sha256: "o3xykQwfsTUf5Y8qP5fjT7qBv5lAT3rtkmPpise5eQw" + }, + iv: "SNxIZsJkju4AAAAAAAAAAA", + key: { + alg: "A256CTR", + ext: true, + k: "CcibYjzzSDexOWBbcBh_kCDiLibg8vUZthz5CnxV0es", + key_ops: [ + "encrypt", + "decrypt" + ], + kty: "oct" + }, + url: "mxc://tchncs.de/ecd811d913ed1b240ebfc81517a5de2c3a1e9d401939377537079574528", + v: "v2" + }, + thumbnail_info: { + h: 600, + mimetype: "image/png", + size: 451773, + w: 507 + }, + thumbnail_url: null, + w: 577, + "xyz.amorgan.blurhash": "TqN1Ais=t1~qRjWFxURiWCM{ofof" + }, + "m.mentions": {}, + msgtype: "m.image", + url: null + }, + event_id: "$UKMbzTlqlyLYN78utVEtiivABFvOe39nx5trHwqNmeQ", + room_id: "!iSyXgNxQcEuXoXpsSn:pussthecat.org" + }), + { + ensureJoined: [], + messagesToDelete: [], + messagesToEdit: [], + messagesToSend: [{ + username: "Austin Huang", + content: "", + avatar_url: "https://bridge.example.org/download/matrix/tchncs.de/090a2b5e07eed2f71e84edad5207221e6c8f8b8e", + attachments: [{id: "0", filename: "Screenshot 2025-06-29 at 13.36.46.png"}], + pendingFiles: [{ + name: "Screenshot 2025-06-29 at 13.36.46.png", + mxc: "mxc://tchncs.de/eac5f83fa97cd74062daf75dfa04d6e5356897281939377544214085632", + key: "-nyqk1eqI-g-ND59P9qHp310-Qyc2A5gSAYm1BxopSg", + iv: "sd33K7pSZNMAAAAAAAAAAA" + }] + }] + } + ) +}) + test("event2message: stickers work", async t => { t.deepEqual( await eventToMessage({ diff --git a/test/ooye-test-data.sql b/test/ooye-test-data.sql index 2b66486..4acff5e 100644 --- a/test/ooye-test-data.sql +++ b/test/ooye-test-data.sql @@ -160,7 +160,8 @@ INSERT INTO member_cache (room_id, mxid, displayname, avatar_url, power_level) V ('!TqlyQmifxGUggEmdBN:cadence.moe', '@Milan:tchncs.de', 'Milan', NULL, 0), ('!TqlyQmifxGUggEmdBN:cadence.moe', '@ampflower:matrix.org', 'Ampflower 🌺', 'mxc://cadence.moe/PRfhXYBTOalvgQYtmCLeUXko', 0), ('!TqlyQmifxGUggEmdBN:cadence.moe', '@aflower:syndicated.gay', 'Rose', 'mxc://syndicated.gay/ZkBUPXCiXTjdJvONpLJmcbKP', 0), -('!TqlyQmifxGUggEmdBN:cadence.moe', '@cadence:cadence.moe', 'cadence [they]', NULL, 0); +('!TqlyQmifxGUggEmdBN:cadence.moe', '@cadence:cadence.moe', 'cadence [they]', NULL, 0), +('!iSyXgNxQcEuXoXpsSn:pussthecat.org', '@austin:tchncs.de', 'Austin Huang', 'mxc://tchncs.de/090a2b5e07eed2f71e84edad5207221e6c8f8b8e', 0); INSERT INTO reaction (hashed_event_id, message_id, encoded_emoji) VALUES (5162930312280790092, '1141501302736695317', '%F0%9F%90%88');