Validate data passed to REST api endpoints

[DMRobertson]

Tracking issue for https://github.com/matrix-org/synapse/milestone/9

List files which contain rest endpoints as follows:

As with #12651 (comment), we should concentrate on finding something which provides good error messages first, and good type information second. I think Pydantic is the best choice; I've had a go with it in https://github.com/matrix-org/synapse/commits/dmr/oidc-config-pydantic for validating some of our config. The rest endpoint payloads should be considerably simpler to validate.

$ rg -l --case-sensitive "def .*(POST|PUT|DELETE|GET).*\(" synapse | sort | sed -e 's/^/- [ ] /'

To generate todo lists for each individual file, use the following write-only program:

sed -n -e 's/.*class \(.*\)(.*Servlet):.*/- [ ] \1/p' -e 's/.*def on_\(.*\)(.*/  - \1/p' synapse/rest/client/devices.py

app

• synapse/app/generic_worker.py

federation

• synapse/federation/transport/server/federation.py
• synapse/federation/transport/server/init.py

http

• synapse/http/server.py

metrics

• synapse/metrics/_exposition.py

rest/admin

• synapse/rest/admin/background_updates.py
• synapse/rest/admin/devices.py
• synapse/rest/admin/event_reports.py
• synapse/rest/admin/federation.py
• synapse/rest/admin/init.py
• synapse/rest/admin/media.py
• synapse/rest/admin/registration_tokens.py
• synapse/rest/admin/rooms.py
• synapse/rest/admin/server_notice_servlet.py
• synapse/rest/admin/statistics.py
• synapse/rest/admin/username_available.py
• synapse/rest/admin/users.py

rest/client

• synapse/rest/client/account_data.py, Extra validation for rest/client/account_data #13148
• Audit and/or add validation to endpoints in synapse/rest/client/account.py #13183
• Audit and/or add validation to synapse/rest/client/account_validity.py #13184
• synapse/rest/client/auth.py
• synapse/rest/client/_base.py
• synapse/rest/client/capabilities.py (nothing to validate)
• Audit and/or add validation to synapse/rest/client/devices.py #14052
• Audit and/or add validation to endpoints in synapse/rest/client/directory.py #14176
• synapse/rest/client/events.py
• Audit or add validation to rest endpoints in synapse/rest/client/filter.py #14265
• synapse/rest/client/initial_sync.py
• Audit or add validation to endpoints in synapse/rest/client/keys.py #14266
• synapse/rest/client/knock.py
• synapse/rest/client/login.py
• synapse/rest/client/logout.py
• synapse/rest/client/mutual_rooms.py
• synapse/rest/client/notifications.py
• synapse/rest/client/openid.py
• synapse/rest/client/password_policy.py
• synapse/rest/client/presence.py
• synapse/rest/client/profile.py
• synapse/rest/client/pusher.py
• synapse/rest/client/push_rule.py
• synapse/rest/client/read_marker.py
• synapse/rest/client/receipts.py
• synapse/rest/client/register.py
• synapse/rest/client/relations.py (nothing to validate)
• synapse/rest/client/report_event.py
• synapse/rest/client/room_keys.py
• synapse/rest/client/room.py
• synapse/rest/client/room_upgrade_rest_servlet.py
• synapse/rest/client/sendtodevice.py
• synapse/rest/client/sync.py
• synapse/rest/client/tags.py
• synapse/rest/client/thirdparty.py
• synapse/rest/client/tokenrefresh.py
• synapse/rest/client/user_directory.py
• synapse/rest/client/versions.py (nothing to validate)
• synapse/rest/client/voip.py (nothing to validate)

rest/key

• synapse/rest/key/v2/local_key_resource.py (nothing to validate)
• synapse/rest/key/v2/remote_key_resource.py Validate input to /key/query endpoint. #16183

rest/media

• synapse/rest/media/v1/config_resource.py (nothing to validate)
• synapse/rest/media/v1/download_resource.py
• synapse/rest/media/v1/preview_url_resource.py
• synapse/rest/media/v1/thumbnail_resource.py
• synapse/rest/media/v1/upload_resource.py

rest/synapse/client

• synapse/rest/synapse/client/new_user_consent.py
• synapse/rest/synapse/client/oidc/callback_resource.py
• synapse/rest/synapse/client/password_reset.py
• synapse/rest/synapse/client/pick_idp.py
• synapse/rest/synapse/client/pick_username.py
• synapse/rest/synapse/client/saml2/metadata_resource.py
• synapse/rest/synapse/client/saml2/response_resource.py
• synapse/rest/synapse/client/sso_register.py
• synapse/rest/synapse/client/unsubscribe.py

rest miscellaneous

• synapse/rest/consent/consent_resource.py
• synapse/rest/well_known.py (nothing to validate)
• synapse/rest/health.py (nothing to validate)