fix(#377): remediate code review and security findings

- Fix sendThreadMessage room mismatch: use channelId from options instead of hardcoded controlRoomId - Add .catch() to fire-and-forget handleRoomMessage to prevent silent error swallowing - Wrap dispatchJob in try-catch for user-visible error reporting in handleFixCommand - Add MATRIX_BOT_USER_ID validation in connect() to prevent infinite message loops - Fix streamResponse error masking: wrap finally/catch side-effects in try-catch - Replace unsafe type assertion with public getClient() in MatrixRoomService - Add orphaned room warning in provisionRoom on DB failure - Add provider identity to Herald error logs - Add channelId to ThreadMessageOptions interface and all callers - Add missing env var warnings in BridgeModule factory - Fix JSON injection in setup-bot.sh: use jq for safe JSON construction Fixes #377 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 03:00:53 -06:00
parent a1f0d1dd71
commit 8d19ac1f4b
13 changed files with 179 additions and 76 deletions
--- a/docker/matrix/scripts/setup-bot.sh
+++ b/docker/matrix/scripts/setup-bot.sh
@@ -112,14 +112,11 @@ echo ""
 echo "Step 2: Obtaining admin access token..."
 ADMIN_LOGIN_RESPONSE=$(curl -sS -X POST "${SYNAPSE_URL}/_matrix/client/v3/login" \
  -H "Content-Type: application/json" \
-  -d "{
-    \"type\": \"m.login.password\",
-    \"identifier\": {
-      \"type\": \"m.id.user\",
-      \"user\": \"${ADMIN_USERNAME}\"
-    },
-    \"password\": \"${ADMIN_PASSWORD}\"
-  }" 2>/dev/null)
+  -d "$(jq -n \
+    --arg user "$ADMIN_USERNAME" \
+    --arg pw "$ADMIN_PASSWORD" \
+    '{type: "m.login.password", identifier: {type: "m.id.user", user: $user}, password: $pw}')" \
+  2>/dev/null)

 ADMIN_TOKEN=$(echo "${ADMIN_LOGIN_RESPONSE}" | python3 -c "import sys,json; print(json.load(sys.stdin).get('access_token',''))" 2>/dev/null || true)

@@ -140,12 +137,11 @@ echo "Step 3: Registering bot account '${BOT_USERNAME}'..."
 BOT_REGISTER_RESPONSE=$(curl -sS -X PUT "${SYNAPSE_URL}/_synapse/admin/v2/users/@${BOT_USERNAME}:localhost" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
-  -d "{
-    \"password\": \"${BOT_PASSWORD}\",
-    \"displayname\": \"${BOT_DISPLAY_NAME}\",
-    \"admin\": false,
-    \"deactivated\": false
-  }" 2>/dev/null)
+  -d "$(jq -n \
+    --arg pw "$BOT_PASSWORD" \
+    --arg dn "$BOT_DISPLAY_NAME" \
+    '{password: $pw, displayname: $dn, admin: false, deactivated: false}')" \
+  2>/dev/null)

 BOT_EXISTS=$(echo "${BOT_REGISTER_RESPONSE}" | python3 -c "import sys,json; d=json.load(sys.stdin); print('yes' if d.get('name') else 'no')" 2>/dev/null || echo "no")

@@ -162,14 +158,11 @@ echo ""
 echo "Step 4: Obtaining bot access token..."
 BOT_LOGIN_RESPONSE=$(curl -sS -X POST "${SYNAPSE_URL}/_matrix/client/v3/login" \
  -H "Content-Type: application/json" \
-  -d "{
-    \"type\": \"m.login.password\",
-    \"identifier\": {
-      \"type\": \"m.id.user\",
-      \"user\": \"${BOT_USERNAME}\"
-    },
-    \"password\": \"${BOT_PASSWORD}\"
-  }" 2>/dev/null)
+  -d "$(jq -n \
+    --arg user "$BOT_USERNAME" \
+    --arg pw "$BOT_PASSWORD" \
+    '{type: "m.login.password", identifier: {type: "m.id.user", user: $user}, password: $pw}')" \
+  2>/dev/null)

 BOT_TOKEN=$(echo "${BOT_LOGIN_RESPONSE}" | python3 -c "import sys,json; print(json.load(sys.stdin).get('access_token',''))" 2>/dev/null || true)