From 7585512ec2664007434056a695451c98cff3c12f Mon Sep 17 00:00:00 2001
From: Diego Sampaio <chinello@gmail.com>
Date: Thu, 25 Sep 2025 17:43:59 -0300
Subject: [PATCH] fix: validate event from sender

---
 .../src/services/event.service.ts               | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/packages/federation-sdk/src/services/event.service.ts b/packages/federation-sdk/src/services/event.service.ts
index 7ac9d099d..e8d59a520 100644
--- a/packages/federation-sdk/src/services/event.service.ts
+++ b/packages/federation-sdk/src/services/event.service.ts
@@ -175,7 +175,7 @@ export class EventService {
 			Array.from(eventsByRoomId.entries()).map(async ([roomId, events]) => {
 				for await (const event of events) {
 					try {
-						await this.validateEvent(origin, event);
+						await this.validateEvent(event);
 					} catch (err) {
 						this.logger.error({
 							msg: 'Event validation failed',
@@ -221,12 +221,25 @@ export class EventService {
 		);
 	}
 
-	private async validateEvent(origin: string, event: Pdu): Promise<void> {
+	private async validateEvent(event: Pdu): Promise<void> {
 		const roomVersion = await this.getRoomVersion(event);
 		if (!roomVersion) {
 			throw new Error('M_UNKNOWN_ROOM_VERSION');
 		}
 
+		if (
+			event.type === 'm.room.member' &&
+			event.content.membership === 'invite' &&
+			'third_party_invite' in event.content
+		) {
+			throw new Error('Third party invites are not supported');
+		}
+
+		const origin = event.sender.split(':').pop();
+		if (!origin) {
+			throw new Error('Event sender is missing domain');
+		}
+
 		const eventSchema = this.getEventSchema(roomVersion, event.type);
 
 		const validationResult = eventSchema.safeParse(event);