Avoid temporary storage of sensitive information. (#16272)

During the UI auth process, avoid storing sensitive information
into the database.
This commit is contained in:
Patrick Cloke 2023-09-08 08:57:56 -04:00 committed by GitHub
parent 583d5963e6
commit 69b74d9330
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 2 deletions

1
changelog.d/16272.bugfix Normal file
View File

@ -0,0 +1 @@
Avoid temporary storage of sensitive information.

View File

@ -186,7 +186,7 @@ class PasswordRestServlet(RestServlet):
params, session_id = await self.auth_handler.validate_user_via_ui_auth( params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester, requester,
request, request,
body.dict(exclude_unset=True), body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password", "modify your account password",
) )
user_id = requester.user.to_string() user_id = requester.user.to_string()
@ -194,7 +194,7 @@ class PasswordRestServlet(RestServlet):
result, params, session_id = await self.auth_handler.check_ui_auth( result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]], [[LoginType.EMAIL_IDENTITY]],
request, request,
body.dict(exclude_unset=True), body.dict(exclude_unset=True, exclude={"new_password"}),
"modify your account password", "modify your account password",
) )

View File

@ -31,6 +31,7 @@ from synapse.rest import admin
from synapse.rest.client import account, login, register, room from synapse.rest.client import account, login, register, room
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
from synapse.server import HomeServer from synapse.server import HomeServer
from synapse.storage._base import db_to_json
from synapse.types import JsonDict, UserID from synapse.types import JsonDict, UserID
from synapse.util import Clock from synapse.util import Clock
@ -134,6 +135,18 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
# Assert we can't log in with the old password # Assert we can't log in with the old password
self.attempt_wrong_password_login("kermit", old_password) self.attempt_wrong_password_login("kermit", old_password)
# Check that the UI Auth information doesn't store the password in the database.
#
# Note that we don't have the UI Auth session ID, so just pull out the single
# row.
ui_auth_data = self.get_success(
self.store.db_pool.simple_select_one(
"ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
)
)
client_dict = db_to_json(ui_auth_data["clientdict"])
self.assertNotIn("new_password", client_dict)
@override_config({"rc_3pid_validation": {"burst_count": 3}}) @override_config({"rc_3pid_validation": {"burst_count": 3}})
def test_ratelimit_by_email(self) -> None: def test_ratelimit_by_email(self) -> None:
"""Test that we ratelimit /requestToken for the same email.""" """Test that we ratelimit /requestToken for the same email."""