Skip to content

Commit

Permalink
Validation improvements
Browse files Browse the repository at this point in the history
Add some more validation to `client_secret` and `email` parameters.
  • Loading branch information
richvdh committed Apr 12, 2021
1 parent 23ced7c commit 3175fd3
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 3 deletions.
9 changes: 8 additions & 1 deletion sydent/http/servlets/emailservlet.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

from twisted.web.resource import Resource

from sydent.util.stringutils import is_valid_client_secret
from sydent.util.stringutils import is_valid_client_secret, MAX_EMAIL_ADDRESS_LENGTH
from sydent.util.emailutils import EmailAddressException, EmailSendException
from sydent.validators import (
IncorrectClientSecretException,
Expand Down Expand Up @@ -58,6 +58,13 @@ def render_POST(self, request):
'error': 'Invalid client_secret provided'
}

if not (0 < len(email) <= MAX_EMAIL_ADDRESS_LENGTH):
request.setResponseCode(400)
return {
'errcode': 'M_INVALID_PARAM',
'error': 'Invalid email provided'
}

ipaddress = self.sydent.ip_from_request(request)
brand = self.sydent.brand_from_request(request)

Expand Down
9 changes: 9 additions & 0 deletions sydent/http/servlets/store_invite_servlet.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
from sydent.http.servlets import get_args, send_cors, jsonwrap, MatrixRestError
from sydent.http.auth import authV2
from sydent.util.emailutils import sendEmail
from sydent.util.stringutils import MAX_EMAIL_ADDRESS_LENGTH


class StoreInviteServlet(Resource):
def __init__(self, syd, require_auth=False):
Expand Down Expand Up @@ -71,6 +73,13 @@ def render_POST(self, request):
"error": "Didn't understand medium '%s'" % (medium,),
}

if not (0 < len(address) <= MAX_EMAIL_ADDRESS_LENGTH):
request.setResponseCode(400)
return {
'errcode': 'M_INVALID_PARAM',
'error': 'Invalid email provided'
}

token = self._randomString(128)

tokenStore = JoinTokenStore(self.sydent)
Expand Down
16 changes: 14 additions & 2 deletions sydent/util/stringutils.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,23 @@
from twisted.internet.abstract import isIPAddress, isIPv6Address

# https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-register-email-requesttoken
client_secret_regex = re.compile(r"^[0-9a-zA-Z\.\=\_\-]+$")
CLIENT_SECRET_REGEX = re.compile(r"^[0-9a-zA-Z\.=_\-]+$")

# hostname/domain name
# https://regex101.com/r/OyN1lg/2
hostname_regex = re.compile(
r"^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$",
flags=re.IGNORECASE)

# it's unclear what the maximum length of an email address is. RFC3696 (as corrected
# by errata) says:
# the upper limit on address lengths should normally be considered to be 254.
#
# In practice, mail servers appear to be more tolerant and allow 400 characters
# or so. Let's allow 500, which should be plenty for everyone.
#
MAX_EMAIL_ADDRESS_LENGTH = 500


def is_valid_client_secret(client_secret):
"""Validate that a given string matches the client_secret regex defined by the spec
Expand All @@ -36,7 +45,10 @@ def is_valid_client_secret(client_secret):
:return: Whether the client_secret is valid
:rtype: bool
"""
return client_secret_regex.match(client_secret) is not None
return (
0 < len(client_secret) <= 255
and CLIENT_SECRET_REGEX.match(client_secret) is not None
)


def is_valid_hostname(string: str) -> bool:
Expand Down

0 comments on commit 3175fd3

Please sign in to comment.