mirror of
https://github.com/matrix-org/synapse.git
synced 2025-01-28 02:49:16 +00:00
Avoid temporary storage of sensitive information. (#16272)
During the UI auth process, avoid storing sensitive information into the database.
This commit is contained in:
parent
583d5963e6
commit
69b74d9330
1
changelog.d/16272.bugfix
Normal file
1
changelog.d/16272.bugfix
Normal file
@ -0,0 +1 @@
|
|||||||
|
Avoid temporary storage of sensitive information.
|
@ -186,7 +186,7 @@ class PasswordRestServlet(RestServlet):
|
|||||||
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
|
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester,
|
requester,
|
||||||
request,
|
request,
|
||||||
body.dict(exclude_unset=True),
|
body.dict(exclude_unset=True, exclude={"new_password"}),
|
||||||
"modify your account password",
|
"modify your account password",
|
||||||
)
|
)
|
||||||
user_id = requester.user.to_string()
|
user_id = requester.user.to_string()
|
||||||
@ -194,7 +194,7 @@ class PasswordRestServlet(RestServlet):
|
|||||||
result, params, session_id = await self.auth_handler.check_ui_auth(
|
result, params, session_id = await self.auth_handler.check_ui_auth(
|
||||||
[[LoginType.EMAIL_IDENTITY]],
|
[[LoginType.EMAIL_IDENTITY]],
|
||||||
request,
|
request,
|
||||||
body.dict(exclude_unset=True),
|
body.dict(exclude_unset=True, exclude={"new_password"}),
|
||||||
"modify your account password",
|
"modify your account password",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -31,6 +31,7 @@ from synapse.rest import admin
|
|||||||
from synapse.rest.client import account, login, register, room
|
from synapse.rest.client import account, login, register, room
|
||||||
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
|
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
|
||||||
from synapse.server import HomeServer
|
from synapse.server import HomeServer
|
||||||
|
from synapse.storage._base import db_to_json
|
||||||
from synapse.types import JsonDict, UserID
|
from synapse.types import JsonDict, UserID
|
||||||
from synapse.util import Clock
|
from synapse.util import Clock
|
||||||
|
|
||||||
@ -134,6 +135,18 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
|
|||||||
# Assert we can't log in with the old password
|
# Assert we can't log in with the old password
|
||||||
self.attempt_wrong_password_login("kermit", old_password)
|
self.attempt_wrong_password_login("kermit", old_password)
|
||||||
|
|
||||||
|
# Check that the UI Auth information doesn't store the password in the database.
|
||||||
|
#
|
||||||
|
# Note that we don't have the UI Auth session ID, so just pull out the single
|
||||||
|
# row.
|
||||||
|
ui_auth_data = self.get_success(
|
||||||
|
self.store.db_pool.simple_select_one(
|
||||||
|
"ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
client_dict = db_to_json(ui_auth_data["clientdict"])
|
||||||
|
self.assertNotIn("new_password", client_dict)
|
||||||
|
|
||||||
@override_config({"rc_3pid_validation": {"burst_count": 3}})
|
@override_config({"rc_3pid_validation": {"burst_count": 3}})
|
||||||
def test_ratelimit_by_email(self) -> None:
|
def test_ratelimit_by_email(self) -> None:
|
||||||
"""Test that we ratelimit /requestToken for the same email."""
|
"""Test that we ratelimit /requestToken for the same email."""
|
||||||
|
Loading…
Reference in New Issue
Block a user