mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-13 22:03:31 +01:00
Avoid temporary storage of sensitive information. (#16272)
During the UI auth process, avoid storing sensitive information into the database.
This commit is contained in:
parent
583d5963e6
commit
69b74d9330
3 changed files with 16 additions and 2 deletions
1
changelog.d/16272.bugfix
Normal file
1
changelog.d/16272.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Avoid temporary storage of sensitive information.
|
|
@ -186,7 +186,7 @@ class PasswordRestServlet(RestServlet):
|
|||
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
|
||||
requester,
|
||||
request,
|
||||
body.dict(exclude_unset=True),
|
||||
body.dict(exclude_unset=True, exclude={"new_password"}),
|
||||
"modify your account password",
|
||||
)
|
||||
user_id = requester.user.to_string()
|
||||
|
@ -194,7 +194,7 @@ class PasswordRestServlet(RestServlet):
|
|||
result, params, session_id = await self.auth_handler.check_ui_auth(
|
||||
[[LoginType.EMAIL_IDENTITY]],
|
||||
request,
|
||||
body.dict(exclude_unset=True),
|
||||
body.dict(exclude_unset=True, exclude={"new_password"}),
|
||||
"modify your account password",
|
||||
)
|
||||
|
||||
|
|
|
@ -31,6 +31,7 @@ from synapse.rest import admin
|
|||
from synapse.rest.client import account, login, register, room
|
||||
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
|
||||
from synapse.server import HomeServer
|
||||
from synapse.storage._base import db_to_json
|
||||
from synapse.types import JsonDict, UserID
|
||||
from synapse.util import Clock
|
||||
|
||||
|
@ -134,6 +135,18 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
|
|||
# Assert we can't log in with the old password
|
||||
self.attempt_wrong_password_login("kermit", old_password)
|
||||
|
||||
# Check that the UI Auth information doesn't store the password in the database.
|
||||
#
|
||||
# Note that we don't have the UI Auth session ID, so just pull out the single
|
||||
# row.
|
||||
ui_auth_data = self.get_success(
|
||||
self.store.db_pool.simple_select_one(
|
||||
"ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
|
||||
)
|
||||
)
|
||||
client_dict = db_to_json(ui_auth_data["clientdict"])
|
||||
self.assertNotIn("new_password", client_dict)
|
||||
|
||||
@override_config({"rc_3pid_validation": {"burst_count": 3}})
|
||||
def test_ratelimit_by_email(self) -> None:
|
||||
"""Test that we ratelimit /requestToken for the same email."""
|
||||
|
|
Loading…
Reference in a new issue