Verify groupId for group changes

2024-11-25 11:41:47 -08:00 · 2024-11-25 11:41:47 -08:00 · ffd61e80b6
commit ffd61e80b6
parent 3aa62ecdb4
4 changed files with 39 additions and 36 deletions
--- a/ts/groups.ts
+++ b/ts/groups.ts
@ -3536,7 +3536,10 @@ async function getGroupUpdates({
      groupChange.changeEpoch <= SUPPORTED_CHANGE_EPOCH;

    if (isChangeSupported) {
-      if (!wrappedGroupChange.isTrusted) {
+      const { isTrusted } = wrappedGroupChange;
+      let isUntrustedChangeVerified = false;
+
+      if (!isTrusted) {
        strictAssert(
          groupChange.serverSignature,
          'Server signature must be present in untrusted group change'
@ -3563,13 +3566,34 @@ async function getGroupUpdates({
            newProfileKeys: new Map(),
          };
        }
+
+        const { groupId: groupIdBytes } = Proto.GroupChange.Actions.decode(
+          groupChange.actions || new Uint8Array(0)
+        );
+        const actionsGroupId: string | undefined =
+          groupIdBytes && groupIdBytes.length !== 0
+            ? Bytes.toBase64(groupIdBytes)
+            : undefined;
+        if (actionsGroupId && actionsGroupId === group.groupId) {
+          isUntrustedChangeVerified = true;
+        } else if (!actionsGroupId) {
+          log.warn(
+            `getGroupUpdates/${logId}: Missing groupId in group change actions`
+          );
+        } else {
+          log.warn(
+            `getGroupUpdates/${logId}: Incorrect groupId in group change actions`
+          );
+        }
      }

-      return updateGroupViaSingleChange({
-        group,
-        newRevision,
-        groupChange,
-      });
+      if (isTrusted || isUntrustedChangeVerified) {
+        return updateGroupViaSingleChange({
+          group,
+          newRevision,
+          groupChange,
+        });
+      }
    }

    log.info(