Limit device_id size to 512B (#12454)

*
2024-06-08 21:58:53 +02:00 · 2022-04-13 10:04:01 -07:00 · 2022-04-13 10:04:01 -07:00 · 8e2759f2d8
parent 0922462fc7
commit 8e2759f2d8
3 changed files with 36 additions and 1 deletions
--- a/changelog.d/12454.misc
+++ b/changelog.d/12454.misc
@ -0,0 +1 @@
+Limit length of device_id to less than 512 characters.
--- a/synapse/rest/client/login.py
+++ b/synapse/rest/client/login.py
@ -342,6 +342,15 @@ class LoginRestServlet(RestServlet):
            user_id = canonical_uid

        device_id = login_submission.get("device_id")
+
+        # If device_id is present, check that device_id is not longer than a reasonable 512 characters
+        if device_id and len(device_id) > 512:
+            raise LoginError(
+                400,
+                "device_id cannot be longer than 512 characters.",
+                errcode=Codes.INVALID_PARAM,
+            )
+
        initial_display_name = login_submission.get("initial_device_display_name")
        (
            device_id,
--- a/tests/rest/client/test_login.py
+++ b/tests/rest/client/test_login.py
@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+import json
 import time
 import urllib.parse
 from typing import Any, Dict, List, Optional, Union
@ -384,6 +384,31 @@ class LoginRestServletTestCase(unittest.HomeserverTestCase):
        channel = self.make_request(b"POST", "/logout/all", access_token=access_token)
        self.assertEqual(channel.result["code"], b"200", channel.result)

+    def test_login_with_overly_long_device_id_fails(self) -> None:
+        self.register_user("mickey", "cheese")
+
+        # create a device_id longer than 512 characters
+        device_id = "yolo" * 512
+
+        body = {
+            "type": "m.login.password",
+            "user": "mickey",
+            "password": "cheese",
+            "device_id": device_id,
+        }
+
+        # make a login request with the bad device_id
+        channel = self.make_request(
+            "POST",
+            "/_matrix/client/v3/login",
+            json.dumps(body).encode("utf8"),
+            custom_headers=None,
+        )
+
+        # test that the login fails with the correct error code
+        self.assertEqual(channel.code, 400)
+        self.assertEqual(channel.json_body["errcode"], "M_INVALID_PARAM")
+

@skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")
 class MultiSSOTestCase(unittest.HomeserverTestCase):
				`@ -0,0 +1 @@`
				`Limit length of device_id to less than 512 characters.`