api: Reject non-object event content on /send and /state.

jevolk · jevolk · commit 4c3e55c68642 · 2026-05-04T05:26:12.000Z
Per spec, event content is required to be a JSON object. The send
endpoints accepted any valid JSON value, including bare strings and
arrays.

Signed-off-by: Jason Volk &lt;jason@zemos.net&gt;
diff --git a/crates/ruma-client-api/src/message/send_message_event.rs b/crates/ruma-client-api/src/message/send_message_event.rs
@@ -51,6 +51,7 @@ pub mod v3 {
 
         /// The event content to send.
         #[ruma_api(body)]
+        #[serde(deserialize_with = "ruma_common::serde::deserialize_raw_object")]
         pub body: Raw<AnyMessageLikeEventContent>,
 
         /// Timestamp to use for the `origin_server_ts` of the event.
diff --git a/crates/ruma-client-api/src/state/send_state_event.rs b/crates/ruma-client-api/src/state/send_state_event.rs
@@ -181,7 +181,16 @@ pub mod v3 {
             let request_query: RequestQuery =
                 serde_html_form::from_str(request.uri().query().unwrap_or(""))?;
 
-            let body = serde_json::from_slice(request.body().as_ref())?;
+            let body: Raw<AnyStateEventContent> = serde_json::from_slice(request.body().as_ref())?;
+            if !body.json().get().trim_start().starts_with('{') {
+                return Err(ruma_common::api::error::DeserializationError::Json(
+                    serde::de::Error::invalid_type(
+                        serde::de::Unexpected::Other("non-object value"),
+                        &"a JSON object",
+                    ),
+                )
+                .into());
+            }
 
             Ok(Self { room_id, event_type, state_key, body, timestamp: request_query.timestamp })
         }
diff --git a/crates/ruma-common/src/serde.rs b/crates/ruma-common/src/serde.rs
@@ -167,6 +167,25 @@ where
     deserializer.deserialize_seq(SkipInvalid(PhantomData))
 }
 
+/// Deserialize a `Raw<T>` and reject any value whose top-level JSON shape is
+/// not an object. Use as `#[serde(deserialize_with =
+/// "ruma_common::serde::deserialize_raw_object")]` on request body fields where the Matrix spec
+/// mandates an object (e.g., `Raw<EventContent>` for `/_matrix/client/.../send` endpoints).
+pub fn deserialize_raw_object<'de, T, D>(deserializer: D) -> Result<crate::serde::Raw<T>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    use serde::de::Error;
+    let raw = <crate::serde::Raw<T> as Deserialize>::deserialize(deserializer)?;
+    if !raw.json().get().trim_start().starts_with('{') {
+        return Err(D::Error::invalid_type(
+            serde::de::Unexpected::Other("non-object value"),
+            &"a JSON object",
+        ));
+    }
+    Ok(raw)
+}
+
 pub use ruma_macros::{
     _FakeDeriveSerde, AsRefStr, AsStrAsRefStr, DebugAsRefStr, DeserializeFromCowStr,
     DisplayAsRefStr, EqAsRefStr, FromString, OrdAsRefStr, SerializeAsRefStr, StringEnum,
