From 722c10dd70dc4abb9311665acd01ca1a3dfcceb8 Mon Sep 17 00:00:00 2001
From: Beaudan Brown <beau@loki.network>
Date: Mon, 4 Nov 2019 12:04:56 +1100
Subject: [PATCH] Verify that incoming sync messages are from one of our
 devices, don't send messages to ourselves

---
 libtextsecure/message_receiver.js | 28 ++++++++++++++++++++--------
 libtextsecure/outgoing_message.js | 10 +++++-----
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/libtextsecure/message_receiver.js b/libtextsecure/message_receiver.js
index 5f51a6848..8a6dc9a98 100644
--- a/libtextsecure/message_receiver.js
+++ b/libtextsecure/message_receiver.js
@@ -1018,7 +1018,9 @@ MessageReceiver.prototype.extend({
       this.processDecrypted(envelope, msg).then(message => {
         const groupId = message.group && message.group.id;
         const isBlocked = this.isGroupBlocked(groupId);
-        const isMe = envelope.source === textsecure.storage.user.getNumber();
+        const isMe =
+          envelope.source === textsecure.storage.user.getNumber() ||
+          envelope.source === window.storage.get('primaryDevicePubKey');
         const isLeavingGroup = Boolean(
           message.group &&
             message.group.type === textsecure.protobuf.GroupContext.Type.QUIT
@@ -1451,13 +1453,23 @@ MessageReceiver.prototype.extend({
     window.log.info('null message from', this.getEnvelopeId(envelope));
     this.removeFromCache(envelope);
   },
-  handleSyncMessage(envelope, syncMessage) {
-    if (envelope.source !== this.number) {
-      throw new Error('Received sync message from another number');
-    }
-    // eslint-disable-next-line eqeqeq
-    if (envelope.sourceDevice == this.deviceId) {
-      throw new Error('Received sync message from our own device');
+  async handleSyncMessage(envelope, syncMessage) {
+    const ourNumber = textsecure.storage.user.getNumber();
+    // NOTE: Maybe we should be caching this list?
+    const ourAuthorisations = await libloki.storage.getPrimaryDeviceMapping(
+      ourNumber
+    );
+    const validSyncSender =
+      ourAuthorisations &&
+      ourAuthorisations.some(
+        auth =>
+          auth.secondaryDevicePubKey === ourNumber ||
+          auth.primaryDevicePubKey === ourNumber
+      );
+    if (!validSyncSender) {
+      throw new Error(
+        "Received sync message from a device we aren't paired with"
+      );
     }
     if (syncMessage.sent) {
       const sentMessage = syncMessage.sent;
diff --git a/libtextsecure/outgoing_message.js b/libtextsecure/outgoing_message.js
index aea4db575..c546ae864 100644
--- a/libtextsecure/outgoing_message.js
+++ b/libtextsecure/outgoing_message.js
@@ -95,18 +95,18 @@ OutgoingMessage.prototype = {
     this.numberCompleted();
   },
   reloadDevicesAndSend(number, recurse) {
+    const ourNumber = textsecure.storage.user.getNumber();
     return () =>
       libloki.storage
         .getAllDevicePubKeysForPrimaryPubKey(number)
+        // Don't send to ourselves
+        .then(devicesPubKeys =>
+          devicesPubKeys.filter(pubKey => pubKey !== ourNumber)
+        )
         .then(devicesPubKeys => {
           if (devicesPubKeys.length === 0) {
             // eslint-disable-next-line no-param-reassign
             devicesPubKeys = [number];
-            // return this.registerError(
-            //   number,
-            //   'Got empty device list when loading device keys',
-            //   null
-            // );
           }
           return this.doSendMessage(number, devicesPubKeys, recurse);
         });