Validate client_secret parameter according to spec (#20)
This commit is contained in:
Andrew Morgan
1
changelog.d/20.bugfix
Normal file
1
changelog.d/20.bugfix
Normal file
@@ -0,0 +1 @@
|
||||
Validate `client_secret` parameter against the regex provided by the C-S spec.
|
||||
@@ -34,7 +34,7 @@ from synapse.http.servlet import (
|
||||
)
|
||||
from synapse.types import UserID
|
||||
from synapse.util.msisdn import phone_number_to_msisdn
|
||||
from synapse.util.stringutils import random_string
|
||||
from synapse.util.stringutils import assert_valid_client_secret, random_string
|
||||
from synapse.util.threepids import check_3pid_allowed
|
||||
|
||||
from ._base import client_patterns, interactive_auth_handler
|
||||
@@ -79,6 +79,8 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
||||
|
||||
# Extract params from body
|
||||
client_secret = body["client_secret"]
|
||||
assert_valid_client_secret(client_secret)
|
||||
|
||||
email = body["email"]
|
||||
send_attempt = body["send_attempt"]
|
||||
next_link = body.get("next_link") # Optional param
|
||||
@@ -216,6 +218,8 @@ class MsisdnPasswordRequestTokenRestServlet(RestServlet):
|
||||
Codes.THREEPID_DENIED,
|
||||
)
|
||||
|
||||
assert_valid_client_secret(body["client_secret"])
|
||||
|
||||
existingUid = yield self.datastore.get_user_id_by_threepid(
|
||||
'msisdn', msisdn
|
||||
)
|
||||
@@ -257,6 +261,9 @@ class PasswordResetSubmitTokenServlet(RestServlet):
|
||||
|
||||
sid = parse_string(request, "sid")
|
||||
client_secret = parse_string(request, "client_secret")
|
||||
|
||||
assert_valid_client_secret(client_secret)
|
||||
|
||||
token = parse_string(request, "token")
|
||||
|
||||
# Attempt to validate a 3PID sesssion
|
||||
@@ -330,6 +337,8 @@ class PasswordResetSubmitTokenServlet(RestServlet):
|
||||
'sid', 'client_secret', 'token',
|
||||
])
|
||||
|
||||
assert_valid_client_secret(body["client_secret"])
|
||||
|
||||
valid, _ = yield self.datastore.validate_threepid_validation_token(
|
||||
body['sid'],
|
||||
body['client_secret'],
|
||||
@@ -510,6 +519,8 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
||||
Codes.THREEPID_DENIED,
|
||||
)
|
||||
|
||||
assert_valid_client_secret(body["client_secret"])
|
||||
|
||||
existingUid = yield self.datastore.get_user_id_by_threepid(
|
||||
'email', body['email']
|
||||
)
|
||||
@@ -547,6 +558,8 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
|
||||
Codes.THREEPID_DENIED,
|
||||
)
|
||||
|
||||
assert_valid_client_secret(body["client_secret"])
|
||||
|
||||
existingUid = yield self.datastore.get_user_id_by_threepid(
|
||||
'msisdn', msisdn
|
||||
)
|
||||
|
||||
@@ -43,6 +43,7 @@ from synapse.http.servlet import (
|
||||
)
|
||||
from synapse.util.msisdn import phone_number_to_msisdn
|
||||
from synapse.util.ratelimitutils import FederationRateLimiter
|
||||
from synapse.util.stringutils import assert_valid_client_secret
|
||||
from synapse.util.threepids import check_3pid_allowed
|
||||
|
||||
from ._base import client_patterns, interactive_auth_handler
|
||||
@@ -88,6 +89,8 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
||||
Codes.THREEPID_DENIED,
|
||||
)
|
||||
|
||||
assert_params_in_dict(body["client_secret"])
|
||||
|
||||
existingUid = yield self.hs.get_datastore().get_user_id_by_threepid(
|
||||
'email', body['email']
|
||||
)
|
||||
@@ -123,6 +126,8 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):
|
||||
|
||||
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
||||
|
||||
assert_valid_client_secret(body["client_secret"])
|
||||
|
||||
if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
|
||||
raise SynapseError(
|
||||
403,
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2014-2016 OpenMarket Ltd
|
||||
# Copyright 2020 The Matrix.org Foundation C.I.C.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -14,12 +15,15 @@
|
||||
# limitations under the License.
|
||||
|
||||
import random
|
||||
import re
|
||||
import string
|
||||
|
||||
import six
|
||||
from six import PY2, PY3
|
||||
from six.moves import range
|
||||
|
||||
from synapse.api.errors import Codes, SynapseError
|
||||
|
||||
_string_with_symbols = (
|
||||
string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
|
||||
)
|
||||
@@ -29,6 +33,8 @@ _string_with_symbols = (
|
||||
# we get cryptographically-secure randoms.
|
||||
rand = random.SystemRandom()
|
||||
|
||||
client_secret_regex = re.compile(r"^[0-9a-zA-Z.=_-]+$")
|
||||
|
||||
|
||||
def random_string(length):
|
||||
return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
|
||||
@@ -113,3 +119,11 @@ def exception_to_unicode(e):
|
||||
return msg.decode('utf-8', errors='replace')
|
||||
else:
|
||||
return msg
|
||||
|
||||
|
||||
def assert_valid_client_secret(client_secret):
|
||||
"""Validate that a given string matches the client_secret regex defined by the spec"""
|
||||
if client_secret_regex.match(client_secret) is None:
|
||||
raise SynapseError(
|
||||
400, "Invalid client_secret parameter", errcode=Codes.INVALID_PARAM
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user