Unsafe, untested, and potentially overeager PDU sanity checks

src/core/matrix/state_res/event_auth.rs

@@ -219,7 +219,7 @@ where
 	/*
 	// TODO: In the past this code was commented as it caused problems with Synapse. This is no
 	// longer the case. This needs to be implemented.
-	// See also: https://github.com/ruma/ruma/pull/2064    
+	// See also: https://github.com/ruma/ruma/pull/2064
 	//
 	// 2. Reject if auth_events
 	// a. auth_events cannot have duplicate keys since it's a BTree
@@ -264,9 +264,11 @@ where
 
 	if room_id_server_name != room_create_event.sender().server_name() {
 		warn!(
-			"servername of room ID origin ({}) does not match servername of m.room.create sender ({})",
+			"servername of room ID origin ({}) does not match servername of m.room.create \
+			 sender ({})",
 			room_id_server_name,
-			room_create_event.sender().server_name());
+			room_create_event.sender().server_name()
+		);
 		return Ok(false);
 	}
 

src/service/rooms/timeline/mod.rs

@@ -698,6 +698,20 @@ impl Service {
 			.await
 			.saturating_add(uint!(1));
 
+		if state_key.is_none() {
+			if prev_events.is_empty() {
+				warn!("Timeline event had zero prev_events, something broke.");
+				return Err!(Request(Unknown("Timeline event had zero prev_events.")));
+			}
+			if depth.le(&uint!(2)) {
+				warn!(
+					"Had unsafe depth of {depth} in {room_id} when creating non-state event. \
+					 Bad!"
+				);
+				return Err!(Request(Unknown("Unsafe depth for non-state event.")));
+			}
+		};
+
 		let mut unsigned = unsigned.unwrap_or_default();
 
 		if let Some(state_key) = &state_key {