Allow for a validation regex for the next_link query parameter

sydent/http/servlets/emailservlet.py

@@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
 from twisted.web.resource import Resource
 
 from sydent.util.emailutils import EmailAddressException, EmailSendException
@@ -26,6 +27,8 @@
 
 from sydent.http.servlets import get_args, jsonwrap, send_cors
 
+logger = logging.getLogger(__name__)
+
 
 class EmailRequestCodeServlet(Resource):
     isLeaf = True
@@ -60,6 +63,14 @@ def render_POST(self, request):
         if 'next_link' in args and not args['next_link'].startswith("file:///"):
             nextLink = args['next_link']
 
+        # Validate the value of next_link against the configured regex
+        if nextLink and self.sydent.next_link_valid_regex.match(nextLink) is None:
+            logger.warn(
+                "Validation attempt rejected as provided 'next_link' value is not "
+                "approved by the configured general.next_link.valid_regex value"
+            )
+            return {'errcode': 'M_UNKNOWN', 'error': 'Invalid next_link'}
+
         resp = None
 
         try:

sydent/sydent.py

@@ -20,6 +20,7 @@
 import logging
 import logging.handlers
 import os
+import re
 
 import twisted.internet.reactor
 from twisted.python import log
@@ -86,6 +87,9 @@ def list_from_comma_sep_string(rawstr):
         # Path to file detailing the configuration of the /info and /internal-info servlets.
         # More information can be found in docs/info.md.
         'info_path': 'info.yaml',
+        # A regex used to validate the next_link query parameter provided by the
+        # client to the /requestToken and /submitToken endpoints
+        'next_link.valid_regex': '.*'
     },
     'db': {
         'db.file': 'sydent.db',
@@ -184,6 +188,10 @@ def sighup(signum, stack):
             self.cfg.get('userdir', 'userdir.allowed_homeservers', '')
         ))
 
+        self.next_link_valid_regex = re.compile(
+            self.cfg.get('general', 'next_link.valid_regex')
+        )
+
         self.invites_validity_period = parse_duration(
             self.cfg.get('general', 'invites.validity_period'),
         )

sydent/validators/common.py

@@ -61,13 +61,21 @@ def validateSessionWithToken(sydent, sid, clientSecret, token, next_link=None):
     # If so, and the next_link this time around is different, then the
     # user may be getting phished. Reject the validation attempt.
     if next_link and valSessionStore.next_link_differs(sid, token, next_link):
-        logger.info(
+        logger.warn(
             "Validation attempt rejected as provided 'next_link' is different "
             "from that in a previous, successful validation attempt with this "
             "session id"
         )
         raise NextLinkValidationException()
 
+    # Validate the value of next_link against the configured regex
+    if next_link and sydent.next_link_valid_regex.match(next_link) is None:
+        logger.warn(
+            "Validation attempt rejected as provided 'next_link' value is not "
+            "approved by the configured general.next_link.valid_regex value"
+        )
+        raise NextLinkValidationException()
+
     # TODO once we can validate the token oob
     #if tokenObj.validated and clientSecret == tokenObj.clientSecret:
     #    return True