From ac10ff4cbe1312ce4932337278d3c4a2c69954cc Mon Sep 17 00:00:00 2001
From: Greyson Parrelli <greyson@signal.org>
Date: Wed, 11 Sep 2024 14:45:02 -0400
Subject: [PATCH] Improve validations on envelope.

---
 .../securesms/messages/MessageDecryptor.kt         |  2 +-
 .../api/messages/EnvelopeContentValidator.kt       | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/src/main/java/org/thoughtcrime/securesms/messages/MessageDecryptor.kt b/app/src/main/java/org/thoughtcrime/securesms/messages/MessageDecryptor.kt
index 3f97588e1e..03ed4b3ea6 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/messages/MessageDecryptor.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/messages/MessageDecryptor.kt
@@ -151,7 +151,7 @@ object MessageDecryptor {
 
       Log.d(TAG, "${logPrefix(envelope, cipherResult)} Successfully decrypted the envelope in ${(endTimeNanos - startTimeNanos).nanoseconds.toDouble(DurationUnit.MILLISECONDS).roundedString(2)} ms  (GUID ${envelope.serverGuid}). Delivery latency: ${serverDeliveredTimestamp - envelope.serverTimestamp!!} ms, Urgent: ${envelope.urgent}")
 
-      val validationResult: EnvelopeContentValidator.Result = EnvelopeContentValidator.validate(envelope, cipherResult.content)
+      val validationResult: EnvelopeContentValidator.Result = EnvelopeContentValidator.validate(envelope, cipherResult.content, SignalStore.account.aci!!)
 
       if (validationResult is EnvelopeContentValidator.Result.Invalid) {
         Log.w(TAG, "${logPrefix(envelope, cipherResult)} Invalid content! ${validationResult.reason}", validationResult.throwable)
diff --git a/libsignal-service/src/main/java/org/whispersystems/signalservice/api/messages/EnvelopeContentValidator.kt b/libsignal-service/src/main/java/org/whispersystems/signalservice/api/messages/EnvelopeContentValidator.kt
index d73a137700..f7c10d10c2 100644
--- a/libsignal-service/src/main/java/org/whispersystems/signalservice/api/messages/EnvelopeContentValidator.kt
+++ b/libsignal-service/src/main/java/org/whispersystems/signalservice/api/messages/EnvelopeContentValidator.kt
@@ -8,6 +8,7 @@ import org.signal.libsignal.zkgroup.groups.GroupMasterKey
 import org.signal.libsignal.zkgroup.receipts.ReceiptCredentialPresentation
 import org.whispersystems.signalservice.api.push.ServiceId
 import org.whispersystems.signalservice.api.push.ServiceId.ACI
+import org.whispersystems.signalservice.api.push.ServiceId.PNI
 import org.whispersystems.signalservice.internal.push.AttachmentPointer
 import org.whispersystems.signalservice.internal.push.Content
 import org.whispersystems.signalservice.internal.push.DataMessage
@@ -28,7 +29,7 @@ import org.whispersystems.signalservice.internal.push.TypingMessage
  */
 object EnvelopeContentValidator {
 
-  fun validate(envelope: Envelope, content: Content): Result {
+  fun validate(envelope: Envelope, content: Content, localAci: ACI): Result {
     if (envelope.type == Envelope.Type.PLAINTEXT_CONTENT) {
       val result: Result? = createPlaintextResultIfInvalid(content)
 
@@ -54,7 +55,7 @@ object EnvelopeContentValidator {
     return when {
       envelope.story == true && !content.meetsStoryFlagCriteria() -> Result.Invalid("Envelope was flagged as a story, but it did not have any story-related content!")
       content.dataMessage != null -> validateDataMessage(envelope, content.dataMessage)
-      content.syncMessage != null -> validateSyncMessage(envelope, content.syncMessage)
+      content.syncMessage != null -> validateSyncMessage(envelope, content.syncMessage, localAci)
       content.callMessage != null -> Result.Valid
       content.nullMessage != null -> Result.Valid
       content.receiptMessage != null -> validateReceiptMessage(content.receiptMessage)
@@ -145,7 +146,14 @@ object EnvelopeContentValidator {
     return Result.Valid
   }
 
-  private fun validateSyncMessage(envelope: Envelope, syncMessage: SyncMessage): Result {
+  private fun validateSyncMessage(envelope: Envelope, syncMessage: SyncMessage, localAci: ACI): Result {
+    // Source serviceId was already determined to be a valid serviceId in general
+    val sourceServiceId = ServiceId.parseOrThrow(envelope.sourceServiceId!!)
+
+    if (sourceServiceId != localAci) {
+      return Result.Invalid("[SyncMessage] Source was not our own account!")
+    }
+
     if (syncMessage.sent != null) {
       val validAddress = syncMessage.sent.destinationServiceId.isValidServiceId()
       val hasDataGroup = syncMessage.sent.message?.groupV2 != null