Validate client_secret parameter (#6767)

2025-08-03 17:14:14 -04:00 · 2020-01-24 14:28:40 +00:00 · 2020-01-24 14:28:40 +00:00 · 9f7aaf90b5
commit 9f7aaf90b5
parent fa4d609e20
6 changed files with 93 additions and 6 deletions
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -30,6 +30,7 @@ from synapse.http.servlet import (
 )
 from synapse.push.mailer import Mailer, load_jinja2_templates
 from synapse.util.msisdn import phone_number_to_msisdn
+from synapse.util.stringutils import assert_valid_client_secret
 from synapse.util.threepids import check_3pid_allowed

 from ._base import client_patterns, interactive_auth_handler
@ -81,6 +82,8 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):

        # Extract params from body
        client_secret = body["client_secret"]
+        assert_valid_client_secret(client_secret)
+
        email = body["email"]
        send_attempt = body["send_attempt"]
        next_link = body.get("next_link")  # Optional param
@ -166,8 +169,9 @@ class PasswordResetSubmitTokenServlet(RestServlet):
            )

        sid = parse_string(request, "sid", required=True)
-        client_secret = parse_string(request, "client_secret", required=True)
        token = parse_string(request, "token", required=True)
+        client_secret = parse_string(request, "client_secret", required=True)
+        assert_valid_client_secret(client_secret)

        # Attempt to validate a 3PID session
        try:
@ -353,6 +357,8 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
        body = parse_json_object_from_request(request)
        assert_params_in_dict(body, ["client_secret", "email", "send_attempt"])
        client_secret = body["client_secret"]
+        assert_valid_client_secret(client_secret)
+
        email = body["email"]
        send_attempt = body["send_attempt"]
        next_link = body.get("next_link")  # Optional param
@ -413,6 +419,8 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
            body, ["client_secret", "country", "phone_number", "send_attempt"]
        )
        client_secret = body["client_secret"]
+        assert_valid_client_secret(client_secret)
+
        country = body["country"]
        phone_number = body["phone_number"]
        send_attempt = body["send_attempt"]
@ -493,8 +501,9 @@ class AddThreepidEmailSubmitTokenServlet(RestServlet):
            )

        sid = parse_string(request, "sid", required=True)
-        client_secret = parse_string(request, "client_secret", required=True)
        token = parse_string(request, "token", required=True)
+        client_secret = parse_string(request, "client_secret", required=True)
+        assert_valid_client_secret(client_secret)

        # Attempt to validate a 3PID session
        try:
@ -559,6 +568,7 @@ class AddThreepidMsisdnSubmitTokenServlet(RestServlet):

        body = parse_json_object_from_request(request)
        assert_params_in_dict(body, ["client_secret", "sid", "token"])
+        assert_valid_client_secret(body["client_secret"])

        # Proxy submit_token request to msisdn threepid delegate
        response = await self.identity_handler.proxy_msisdn_submit_token(
@ -600,8 +610,9 @@ class ThreepidRestServlet(RestServlet):
            )
        assert_params_in_dict(threepid_creds, ["client_secret", "sid"])

-        client_secret = threepid_creds["client_secret"]
        sid = threepid_creds["sid"]
+        client_secret = threepid_creds["client_secret"]
+        assert_valid_client_secret(client_secret)

        validation_session = await self.identity_handler.validate_threepid_session(
            client_secret, sid
@ -637,8 +648,9 @@ class ThreepidAddRestServlet(RestServlet):
        body = parse_json_object_from_request(request)

        assert_params_in_dict(body, ["client_secret", "sid"])
-        client_secret = body["client_secret"]
        sid = body["sid"]
+        client_secret = body["client_secret"]
+        assert_valid_client_secret(client_secret)

        await self.auth_handler.validate_user_via_ui_auth(
            requester, body, self.hs.get_ip_from_request(request)
@ -676,8 +688,9 @@ class ThreepidBindRestServlet(RestServlet):
        assert_params_in_dict(body, ["id_server", "sid", "client_secret"])
        id_server = body["id_server"]
        sid = body["sid"]
-        client_secret = body["client_secret"]
        id_access_token = body.get("id_access_token")  # optional
+        client_secret = body["client_secret"]
+        assert_valid_client_secret(client_secret)

        requester = await self.auth.get_user_by_req(request)
        user_id = requester.user.to_string()