Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Avoid temporary storage of sensitive information. (#16272)
Browse files Browse the repository at this point in the history
During the UI auth process, avoid storing sensitive information
into the database.
  • Loading branch information
clokep authored Sep 8, 2023
1 parent 583d596 commit 69b74d9
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 2 deletions.
1 change: 1 addition & 0 deletions changelog.d/16272.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Avoid temporary storage of sensitive information.
4 changes: 2 additions & 2 deletions synapse/rest/client/account.py
Original file line number Diff line number Diff line change
Expand Up @@ -186,15 +186,15 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester,
request,
body.dict(exclude_unset=True),
body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password",
)
user_id = requester.user.to_string()
else:
result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]],
request,
body.dict(exclude_unset=True),
body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password",
)

Expand Down
13 changes: 13 additions & 0 deletions tests/rest/client/test_account.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
from synapse.rest.client import account, login, register, room
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
from synapse.server import HomeServer
from synapse.storage._base import db_to_json
from synapse.types import JsonDict, UserID
from synapse.util import Clock

Expand Down Expand Up @@ -134,6 +135,18 @@ def test_basic_password_reset(self) -> None:
# Assert we can't log in with the old password
self.attempt_wrong_password_login("kermit", old_password)

# Check that the UI Auth information doesn't store the password in the database.
#
# Note that we don't have the UI Auth session ID, so just pull out the single
# row.
ui_auth_data = self.get_success(
self.store.db_pool.simple_select_one(
"ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
)
)
client_dict = db_to_json(ui_auth_data["clientdict"])
self.assertNotIn("new_password", client_dict)

@override_config({"rc_3pid_validation": {"burst_count": 3}})
def test_ratelimit_by_email(self) -> None:
"""Test that we ratelimit /requestToken for the same email."""
Expand Down

0 comments on commit 69b74d9

Please sign in to comment.