From 7450852ffc0214b8ee6ac2317b2f2a859d163f87 Mon Sep 17 00:00:00 2001
From: Half-Shot <will@half-shot.uk>
Date: Thu, 16 Apr 2020 17:09:27 +0100
Subject: [PATCH 1/3] Require token for provisioning

---
 package-lock.json   | 52 ++++++++++++++++++++-------------------------
 package.json        |  2 +-
 src/Provisioning.ts |  1 +
 3 files changed, 25 insertions(+), 30 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8974c6ea..14b90c8f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -460,9 +460,9 @@
       "dev": true
     },
     "base-x": {
-      "version": "3.0.7",
-      "resolved": "https://registry.npmjs.org/base-x/-/base-x-3.0.7.tgz",
-      "integrity": "sha512-zAKJGuQPihXW22fkrfOclUUZXM2g92z5GzlSMHxhO6r6Qj+Nm0ccaGNBzDZojzwOMkpjAv4J0fOv1U4go+a4iw==",
+      "version": "3.0.8",
+      "resolved": "https://registry.npmjs.org/base-x/-/base-x-3.0.8.tgz",
+      "integrity": "sha512-Rl/1AWP4J/zRrk54hhlxH4drNxPJXYUaKffODVI53/dAsV4t9fBxyxYKAVPU1XBHxYwOWP9h9H0hM2MVw4YfJA==",
       "requires": {
         "safe-buffer": "^5.0.1"
       }
@@ -749,9 +749,9 @@
       "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw="
     },
     "core-js": {
-      "version": "2.6.10",
-      "resolved": "https://registry.npmjs.org/core-js/-/core-js-2.6.10.tgz",
-      "integrity": "sha512-I39t74+4t+zau64EN1fE5v2W31Adtc/REhzWN+gWRRXg6WH5qAsZm62DHpQ1+Yhe4047T55jvzz7MUqF/dBBlA=="
+      "version": "2.6.11",
+      "resolved": "https://registry.npmjs.org/core-js/-/core-js-2.6.11.tgz",
+      "integrity": "sha512-5wjnpaT/3dV+XB4borEsnAYQchn00XSgTAWKDkEqv+K8KevjbzmofK6hfJ9TZIlpj2N0xQpazy7PiRQiWHqzWg=="
     },
     "core-util-is": {
       "version": "1.0.2",
@@ -1565,9 +1565,9 @@
       }
     },
     "loglevel": {
-      "version": "1.6.6",
-      "resolved": "https://registry.npmjs.org/loglevel/-/loglevel-1.6.6.tgz",
-      "integrity": "sha512-Sgr5lbboAUBo3eXCSPL4/KoVz3ROKquOjcctxmHIt+vol2DrqTQe3SwkKKuYhEiWB5kYa13YyopJ69deJ1irzQ=="
+      "version": "1.6.8",
+      "resolved": "https://registry.npmjs.org/loglevel/-/loglevel-1.6.8.tgz",
+      "integrity": "sha512-bsU7+gc9AJ2SqpzxwU3+1fedl8zAntbtC5XYlt3s2j1hJcn2PsXSmgN8TaLG/J1/2mod4+cE/3vNL70/c1RNCA=="
     },
     "make-error": {
       "version": "1.3.6",
@@ -1596,9 +1596,9 @@
       }
     },
     "matrix-appservice-bridge": {
-      "version": "1.11.1",
-      "resolved": "https://registry.npmjs.org/matrix-appservice-bridge/-/matrix-appservice-bridge-1.11.1.tgz",
-      "integrity": "sha512-xrtjxScBIx33HRkiK/5G6wkUxZ9jxF9GqTiKzM/Fn7CgMZoHVDIms3sTc7ybZKA6RHAqH68bg4Eg4JbGCtUrhw==",
+      "version": "1.12.1",
+      "resolved": "https://registry.npmjs.org/matrix-appservice-bridge/-/matrix-appservice-bridge-1.12.1.tgz",
+      "integrity": "sha512-l2IAMmRwKDcIl+63OLLxXWSozedYC5/B1JFMpU50fOoeSpSVqFf68Ucu9yEdM5RddQCzJPmA6cVRthPOvq7K0g==",
       "requires": {
         "bluebird": "^2.9.34",
         "chalk": "^2.4.1",
@@ -1609,6 +1609,7 @@
         "matrix-js-sdk": "^2.3.0",
         "nedb": "^1.1.3",
         "nopt": "^3.0.3",
+        "p-queue": "^6.3.0",
         "prom-client": "^11.1.1",
         "request": "^2.61.0",
         "winston": "^3.1.0",
@@ -1616,9 +1617,9 @@
       }
     },
     "matrix-js-sdk": {
-      "version": "2.4.5",
-      "resolved": "https://registry.npmjs.org/matrix-js-sdk/-/matrix-js-sdk-2.4.5.tgz",
-      "integrity": "sha512-Mh0fPoiqyXRksFNYS4/2s20xAklmYVIgSms3qFvLhno32LN43NizUoAMBYYGtyjt8BQi+U77lbNL0s5f2V7gPQ==",
+      "version": "2.4.6",
+      "resolved": "https://registry.npmjs.org/matrix-js-sdk/-/matrix-js-sdk-2.4.6.tgz",
+      "integrity": "sha512-ydU64WwAYFjaTJ7JTv/JM3HmSY7leHWm3x3j0J4KWVhDDxsLoQ/v8Tc6FwlVom9/B9VvGTk+AG3aY0zgNk8LQg==",
       "requires": {
         "another-json": "^0.2.0",
         "babel-runtime": "^6.26.0",
@@ -1702,18 +1703,11 @@
       "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw=="
     },
     "mkdirp": {
-      "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
-      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+      "version": "0.5.5",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.5.tgz",
+      "integrity": "sha512-NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ==",
       "requires": {
-        "minimist": "0.0.8"
-      },
-      "dependencies": {
-        "minimist": {
-          "version": "0.0.8",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
-          "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0="
-        }
+        "minimist": "^1.2.5"
       }
     },
     "mocha": {
@@ -2771,9 +2765,9 @@
       "integrity": "sha1-YaajIBBiKvoHljvzJSA88SI51gQ="
     },
     "unhomoglyph": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/unhomoglyph/-/unhomoglyph-1.0.3.tgz",
-      "integrity": "sha512-PC/OAHE8aiTK0Gfmy0PxOlePazRn+BeCM1r4kFtkHgEnkJZgJoI7yD2yUEjsfSdLXKU1FSt/EcIZvNoKazYUTw=="
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/unhomoglyph/-/unhomoglyph-1.0.5.tgz",
+      "integrity": "sha512-rNAw2rGogjq4BVhsCX8K6qXrCcHmUaMCHETlUG0ujGZ3OHwnzJHwdMyzy3n/c9Y7lvlbckOd9nkW33grUVE3bg=="
     },
     "unpipe": {
       "version": "1.0.0",
diff --git a/package.json b/package.json
index 9b884c1c..e94c8f91 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,7 @@
     "chai": "^4.2.0",
     "escape-string-regexp": "^2.0.0",
     "matrix-appservice": "^0.4.1",
-    "matrix-appservice-bridge": "^1.11.1",
+    "matrix-appservice-bridge": "^1.12.1",
     "minimist": "^1.2.5",
     "nedb": "^1.8.0",
     "node-emoji": "^1.10.0",
diff --git a/src/Provisioning.ts b/src/Provisioning.ts
index b0a9477a..cfa88590 100644
--- a/src/Provisioning.ts
+++ b/src/Provisioning.ts
@@ -48,6 +48,7 @@ export class Provisioner {
                 await this.handleProvisioningRequest(verb as Verbs, req, res);
             },
             method: "POST",
+            checkToken: true,
             path: "/_matrix/provision/:verb",
         });
     }

From 6c55e5db73adae7254c906fafab6644ff09a1197 Mon Sep 17 00:00:00 2001
From: Half-Shot <will@half-shot.uk>
Date: Thu, 16 Apr 2020 17:11:35 +0100
Subject: [PATCH 2/3] changelog

---
 changelog.d/395.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/395.bugfix

diff --git a/changelog.d/395.bugfix b/changelog.d/395.bugfix
new file mode 100644
index 00000000..82ca4203
--- /dev/null
+++ b/changelog.d/395.bugfix
@@ -0,0 +1 @@
+**SECURITY FIX** The bridge now requires authentication on the /_matrix/provision set of endpoints. It requires either an `access_token` query parameter or a `Authorization` header containing the `hs_token` provided in the registration file.
\ No newline at end of file

From d6a1b43c7c51c50ab5c78292dfc723b0f511e339 Mon Sep 17 00:00:00 2001
From: Half-Shot <will@half-shot.uk>
Date: Thu, 16 Apr 2020 17:24:13 +0100
Subject: [PATCH 3/3] Do not require a token for /health

---
 src/Main.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Main.ts b/src/Main.ts
index 0751dc17..d7a445d5 100644
--- a/src/Main.ts
+++ b/src/Main.ts
@@ -816,6 +816,7 @@ export class Main {
             handler: this.onHealth.bind(this.bridge),
             method: "GET",
             path: "/health",
+            checkToken: false,
         });
 
         const provisioningEnabled = this.config.provisioning?.enable;