Change display names/avatar URLs to None if they contain null bytes before storing in DB (#11230)

* change display names/avatar URLS to None if they contain null bytes * add changelog * add POC test, requested changes * add a saner test and remove old one * update test to verify that display name has been changed to None * make test less fragile
2025-05-15 14:22:10 -04:00 · 2021-11-12 10:38:24 -08:00 · 2021-11-12 10:38:24 -08:00 · 0bcae8ad56
commit 0bcae8ad56
parent 9b90b9454b
3 changed files with 56 additions and 4 deletions
--- a/synapse/storage/databases/main/events.py
+++ b/synapse/storage/databases/main/events.py
@ -1641,8 +1641,8 @@ class PersistEventsStore:
    def _store_room_members_txn(self, txn, events, backfilled):
        """Store a room member in the database."""

-        def str_or_none(val: Any) -> Optional[str]:
-            return val if isinstance(val, str) else None
+        def non_null_str_or_none(val: Any) -> Optional[str]:
+            return val if isinstance(val, str) and "\u0000" not in val else None

        self.db_pool.simple_insert_many_txn(
            txn,
@ -1654,8 +1654,10 @@ class PersistEventsStore:
                    "sender": event.user_id,
                    "room_id": event.room_id,
                    "membership": event.membership,
-                    "display_name": str_or_none(event.content.get("displayname")),
-                    "avatar_url": str_or_none(event.content.get("avatar_url")),
+                    "display_name": non_null_str_or_none(
+                        event.content.get("displayname")
+                    ),
+                    "avatar_url": non_null_str_or_none(event.content.get("avatar_url")),
                }
                for event in events
            ],