Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC4140 delayed event rate limit failures are not handled #18021

Open
hughns opened this issue Dec 10, 2024 · 1 comment · May be fixed by #18018
Open

MSC4140 delayed event rate limit failures are not handled #18021

hughns opened this issue Dec 10, 2024 · 1 comment · May be fixed by #18018
Assignees
@AndrewFerr
Labels
T-Defect

Comments

@hughns
Copy link
Member

hughns commented Dec 10, 2024

As per https://github.com/matrix-org/matrix-spec-proposals/blob/toger5/expiring-events-keep-alive/proposals/4140-delayed-events-futures.md#rate-limiting-at-the-point-of-sending we are applying rate limiting at the point of the delayed event being entered into the DAG.

However, we don't handle this temporary failure and retry.

This means that the delayed event then gets dropped.

This was observed in the wild yesterday.
@hughns hughns linked a pull request Dec 10, 2024 that will close this issue
Open
3 tasks
@hughns
Copy link
Member Author

hughns commented Dec 10, 2024

#18018 contains a proposed fix.

However, the approach in that PR is to simply disable that rate limit.

If that PR is accepted then the should be some follow-up on this issue here to get the original security consideration mitigated. For example, one of:

  • taking account of delayed event scheduling when accepting the delayed event in the first place
  • adding the rate limit back in but handling the rate limit failure sensibly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndrewFerr AndrewFerr

Labels
T-Defect
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't ratelimit server-sent delayed events AndrewFerr/synapse
2 participants
@AndrewFerr @hughns