WIP: fix: Strip unsigned over federation, improve PDU size checking performance & accuracy #1586

nex · 2026-03-27T22:15:04Z

nex commented

2026-03-27 22:15:04 +00:00

This pull request changes the federation event formatter factory to strip the unsigned object entirely, as it is unused over federation and only contains untrusted data.
There's also a performance improvement related to checking the size of incoming events, and a fix that more accurately measures the size of local events taking the above into account.

Pull request checklist:

This pull request targets the main branch, and the branch is named something other than
main.
I have written an appropriate pull request title and my description is clear.
I understand I am responsible for the contents of this pull request.
I have followed the contributing guidelines:
- My contribution follows the code style, if applicable.
- I ran pre-commit checks before opening/drafting this pull request.
- I have tested my contribution (or proof-read it for documentation-only changes)
  myself, if applicable. This includes ensuring code compiles.
- My commit messages follow the commit message format and are descriptive.
- I have written a news fragment for this PR, if applicable.

This pull request changes the federation event formatter factory to strip the `unsigned` object entirely, as it is unused over federation and only contains untrusted data. There's also a performance improvement related to checking the size of incoming events, and a fix that more accurately measures the size of local events taking the above into account.     **Pull request checklist:**  - [x] This pull request targets the `main` branch, and the branch is named something other than `main`. - [x] I have written an appropriate pull request title and my description is clear. - [x] I understand I am responsible for the contents of this pull request. - I have followed the [contributing guidelines][c1]: - [x] My contribution follows the [code style][c2], if applicable. - [x] I ran [pre-commit checks][c1pc] before opening/drafting this pull request. - [x] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes) myself, if applicable. This includes ensuring code compiles. - [x] My commit messages follow the [commit message format][c1cm] and are descriptive. - [x] I have written a [news fragment][n1] for this PR, if applicable.  [c1]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md [c2]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/docs/development/code_style.mdx [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages [n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

nex added the

Enhancement

Matrix/Federation

labels

2026-03-27 22:15:04 +00:00

nex added 1 commit

2026-03-27 22:15:04 +00:00

fix: Correctly, explicitly format outgoing events

Check Changelog / Check for changelog (pull_request_target) Successful in 9s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m19s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 3m3s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Has been cancelled

Details

3cec9d0077

Henry-Hiles commented

2026-03-27 22:19:20 +00:00

So, if synapse did this, or if I run my draupnir on c10y, would I not have the issue with event sizes I do right now?

nex added 1 commit

2026-03-27 22:19:31 +00:00

chore: Add news fragment

Check Changelog / Check for changelog (pull_request_target) Successful in 14s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m16s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 3m2s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 20m52s

Details

d636da06e2

nex commented

2026-03-27 22:21:22 +00:00

It's hard to tell. Preliminary research revealed that Synapse still includes unsigned data over federation for locally-originating events, but it doesn't include as much as we did prior to this pull request. However, as it stands, Synapse will not touch any unsigned data received from remote servers, meaning if a remote server continues to send large amounts of unsigned data over federation to Synapse (such as an outdated continuwuity deployment), Synapse will also parrot that data back (provided it still fits within the PDU size limit).

We're sorta trailblazing here by just dropping non-required fields explicitly rather than just removing parts of them. unsigned is already optional, I was told removing unsigned over federation is probably safe, and there's no reason to include other keys that aren't recognised, so this is more of a two-birds-one-stone fix/enhancement.

It's hard to tell. Preliminary research revealed that Synapse still includes unsigned data over federation *for locally-originating events*, but it doesn't include as much as we did prior to this pull request. However, as it stands, Synapse will not touch any unsigned data received from remote servers, meaning if a remote server continues to send large amounts of unsigned data over federation to Synapse (such as an outdated continuwuity deployment), Synapse will also parrot that data back (provided it still fits within the PDU size limit). We're sorta trailblazing here by just dropping non-required fields explicitly rather than just removing parts of them. `unsigned` is already optional, I was told [removing `unsigned` over federation is *probably* safe](https://matrix.to/#/!nD4Jy1hp0We0VmIM9ubjqWLBX_uV8YlTBBPa3a_v2uk/%24cN2bQmiL1G3L6mtvnCI89_-vq9TnTthr8uGb1S6-GrY?via=nexy7574.co.uk&via=matrix.org&via=element.io), and there's no reason to include other keys that aren't recognised, so this is more of a two-birds-one-stone fix/enhancement.

Henry-Hiles commented

2026-03-27 22:21:36 +00:00

Actually, i guess id get the same error when running a modbot on c10y because event size is also checked locally

nex commented

2026-03-27 22:33:25 +00:00

Technically, creating an event that would brush up against the PDU size limit on continuwuity will currently fail early, since it doesn't evaluate it in quite the same way (i.e. it'll hit a false positive). I'll tackle that at a later date though since I'll need to figure out how to do similar stripped evaluations without potentially harming performance (not something I want to be thinking about at 22:30 on a Friday)

Henry-Hiles commented

2026-03-27 22:35:27 +00:00

@nex wrote in #1586 (comment):

Technically, creating an event that would brush up against the PDU size limit on continuwuity will currently fail early, since it doesn't evaluate it in quite the same way (i.e. it'll hit a false positive). I'll tackle that at a later date though since I'll need to figure out how to do similar stripped evaluations without potentially harming performance (not something I want to be thinking about at 22:30 on a Friday)

Alrighty, no worries, enjoy your friday :)

@nex wrote in https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1586#issuecomment-26937: > Technically, creating an event that would brush up against the PDU size limit on continuwuity will currently fail early, since it doesn't evaluate it in quite the same way (i.e. it'll hit a false positive). I'll tackle that at a later date though since I'll need to figure out how to do similar stripped evaluations without potentially harming performance (not something I want to be thinking about at 22:30 on a Friday) Alrighty, no worries, enjoy your friday :)

Jade approved these changes

2026-03-27 22:41:12 +00:00

Dismissed

nex added 1 commit

2026-03-27 22:55:13 +00:00

style: Fix clippy lint

Check Changelog / Check for changelog (pull_request_target) Successful in 9s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m18s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 3m1s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Successful in 26m6s

Details

b0e3b9eeb5

nex requested review from Aranjedeath

2026-03-27 23:41:43 +00:00

Aranjedeath approved these changes

2026-03-29 01:49:22 +00:00

Dismissed

nex added 1 commit

2026-03-29 12:43:01 +00:00

fix: Correctly handle size evaluation of local events

Check Changelog / Check for changelog (pull_request_target) Successful in 9s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m21s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 2m59s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Successful in 26m5s

Details

053860e496

Also improved the performance of `pdu_fits`

nex commented

2026-03-29 12:44:24 +00:00

Technically, creating an event that would brush up against the PDU size limit on continuwuity will currently fail early

This should now be fixed.

> Technically, creating an event that would brush up against the PDU size limit on continuwuity will currently fail early This should now be fixed.

nex added 2 commits

2026-03-29 13:21:38 +00:00

fix: Don't include origin in remote memberships 303ad4ab9c

fix: Only pop unsigned from PDUs

Check Changelog / Check for changelog (pull_request_target) Successful in 9s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m15s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 2m57s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Has been cancelled

Details

127030ac38

nex changed title from ~~fix: Correctly, explicitly format outgoing events~~ to fix: Strip unsigned over federation, improve PDU size checking performance & accuracy

2026-03-29 13:24:24 +00:00

nex requested reviews from Aranjedeath, Jade

2026-03-29 13:24:25 +00:00

nex commented

2026-03-29 13:25:06 +00:00

PR updated to reflect that only unsigned is popped when fed formatting (stripping anything else would result in content hash verification failures)

PR updated to reflect that only `unsigned` is popped when fed formatting (stripping anything else would result in content hash verification failures)

nex added 1 commit

2026-03-29 13:28:53 +00:00

feat: Reduce verbosity of "remote server couldn't process pdu" warning

Check Changelog / Check for changelog (pull_request_target) Successful in 19s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m18s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 3m2s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 22m55s

Details

8b206564aa

nex added 1 commit

2026-03-29 14:17:01 +00:00

style: Run linter

Check Changelog / Check for changelog (pull_request_target) Successful in 9s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m21s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 2m58s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Successful in 26m54s

Details

422db2105c

ginger approved these changes

2026-03-29 14:28:50 +00:00

Jade approved these changes

2026-03-29 14:39:01 +00:00

Aranjedeath reviewed

2026-03-29 15:57:28 +00:00

src/service/rooms/timeline/create.rs

					
				@ -283,1 +265,4 @@

					}

					// Verify that the *full* PDU isn't over 64KiB.

					if !pdu_fits(&pdu_json) {

						return Err!(Request(TooLarge("PDU is too long large (exceeds 65535 bytes)")));

too long large is a great error message

I'm going to change this to "PDU is so extravagantly humongous that it doth not fit within its constraints" out of spite /j

@nex wrote in #1586 (comment):

I'm going to change this to "PDU is so extravagantly humongous that it doth not fit within its constraints" out of spite /j

ok but this is a GREAT and UNIQUE error message that will result in users locating the documentation immediately xD

@nex wrote in https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1586#issuecomment-26988: > I'm going to change this to "PDU is so extravagantly humongous that it doth not fit within its constraints" out of spite /j ok but this is a GREAT and UNIQUE error message that will result in users locating the documentation immediately xD

❤️ 1

Aranjedeath approved these changes

2026-03-29 15:58:04 +00:00

Dismissed

Aranjedeath requested changes

2026-03-29 16:30:56 +00:00

Aranjedeath left a comment

we are pausing on this to take a closer look, I am seeing signature errors as a result of the patch

nex commented

2026-03-29 21:54:36 +00:00

marking as wip until I fix the thing that blows stuff up

nex changed title from ~~fix: Strip unsigned over federation, improve PDU size checking performance & accuracy~~ to WIP: fix: Strip unsigned over federation, improve PDU size checking performance & accuracy

2026-03-29 21:54:40 +00:00