Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Avoid temporary storage of sensitive information. #16272

Merged
merged 2 commits into from
Sep 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/16272.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Avoid temporary storage of sensitive information.
4 changes: 2 additions & 2 deletions synapse/rest/client/account.py
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester,
request,
body.dict(exclude_unset=True),
body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password",
)
except InteractiveAuthIncompleteError as e:
Expand All @@ -209,7 +209,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]],
request,
body.dict(exclude_unset=True),
body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password",
)
except InteractiveAuthIncompleteError as e:
Expand Down
13 changes: 13 additions & 0 deletions tests/rest/client/test_account.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
from synapse.rest.client import account, login, register, room
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
from synapse.server import HomeServer
from synapse.storage._base import db_to_json
from synapse.types import JsonDict, UserID
from synapse.util import Clock

Expand Down Expand Up @@ -134,6 +135,18 @@ def test_basic_password_reset(self) -> None:
# Assert we can't log in with the old password
self.attempt_wrong_password_login("kermit", old_password)

# Check that the UI Auth information doesn't store the password in the database.
#
# Note that we don't have the UI Auth session ID, so just pull out the single
# row.
ui_auth_data = self.get_success(
self.store.db_pool.simple_select_one(
"ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
)
)
client_dict = db_to_json(ui_auth_data["clientdict"])
self.assertNotIn("new_password", client_dict)

@override_config({"rc_3pid_validation": {"burst_count": 3}})
def test_ratelimit_by_email(self) -> None:
"""Test that we ratelimit /requestToken for the same email."""
Expand Down