Reject key requests for users that are not members of the room

src/Cache.cpp

@@ -1714,6 +1714,19 @@ Cache::getMembers(const std::string &room_id, std::size_t startIndex, std::size_
         return members;
 }
 
+bool
+Cache::isRoomMember(const std::string &user_id, const std::string &room_id)
+{
+        auto txn = lmdb::txn::begin(env_);
+        auto db  = getMembersDb(txn, room_id);
+
+        lmdb::val value;
+        bool res = lmdb::dbi_get(txn, db, lmdb::val(user_id), value);
+        txn.commit();
+
+        return res;
+}
+
 void
 Cache::saveTimelineMessages(lmdb::txn &txn,
                             const std::string &room_id,

src/Cache.h

@@ -400,6 +400,9 @@ public:
         void setDeviceList(const std::string &user_id, const std::vector<std::string> &devices);
         std::vector<std::string> getDeviceList(const std::string &user_id);
 
+        //! Check if a user is a member of the room.
+        bool isRoomMember(const std::string &user_id, const std::string &room_id);
+
         //
         // Outbound Megolm Sessions
         //

src/Olm.cpp

@@ -369,6 +369,14 @@ handle_key_request_message(const mtx::events::msg::KeyRequest &req)
                 return;
         }
 
+        if (!cache::client()->isRoomMember(req.sender, req.room_id)) {
+                nhlog::crypto()->warn(
+                  "user {} that requested the session key is not member of the room {}",
+                  req.sender,
+                  req.room_id);
+                return;
+        }
+
         //
         // Prepare the m.room_key event.
         //