Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Avoid temporary storage of sensitive information. #16272

Merged
merged 2 commits into from
Sep 8, 2023
Merged

Avoid temporary storage of sensitive information. #16272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c84b10
Avoid temporary storage of sensitive information.
clokep Sep 6, 2023
55b16aa
Newsfragment
clokep Sep 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/16272.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Avoid temporary storage of sensitive information.
4 changes: 2 additions & 2 deletions synapse/rest/client/account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester,
request,
body.dict(exclude_unset=True),
body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password",
)
except InteractiveAuthIncompleteError as e:
Expand All @@ -209,7 +209,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]],
request,
body.dict(exclude_unset=True),
body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password",
)
except InteractiveAuthIncompleteError as e:
Expand Down
13 changes: 13 additions & 0 deletions tests/rest/client/test_account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
from synapse.rest.client import account, login, register, room
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
from synapse.server import HomeServer
from synapse.storage._base import db_to_json
from synapse.types import JsonDict, UserID
from synapse.util import Clock

Expand Down Expand Up @@ -134,6 +135,18 @@ def test_basic_password_reset(self) -> None:
# Assert we can't log in with the old password
self.attempt_wrong_password_login("kermit", old_password)

# Check that the UI Auth information doesn't store the password in the database.
#
# Note that we don't have the UI Auth session ID, so just pull out the single
# row.
ui_auth_data = self.get_success(
self.store.db_pool.simple_select_one(
"ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
)
)
client_dict = db_to_json(ui_auth_data["clientdict"])
self.assertNotIn("new_password", client_dict)

@override_config({"rc_3pid_validation": {"burst_count": 3}})
def test_ratelimit_by_email(self) -> None:
"""Test that we ratelimit /requestToken for the same email."""
Expand Down
Loading