Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Limit device_id size to 512B #12454

Merged
merged 10 commits into from
Apr 13, 2022
Merged

Limit device_id size to 512B #12454

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
89b3530
limit size of device_id
H-Shay Apr 4, 2022
0cd4345
test that a login with an overly large device_id will fail
H-Shay Apr 4, 2022
7edd012
device id -> device_id
H-Shay Apr 11, 2022
b724259
newsfragement
H-Shay Apr 11, 2022
06df247
change limit to 512B
H-Shay Apr 12, 2022
6c8e1c8
update comment
H-Shay Apr 12, 2022
8a0cc99
fix changelog number
H-Shay Apr 12, 2022
c463789
limit by charaters vs size
H-Shay Apr 12, 2022
c2bdd73
lints
H-Shay Apr 12, 2022
6960ca0
requested changes
H-Shay Apr 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/12454.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Limit length of device_id to less than 512 characters.
9 changes: 9 additions & 0 deletions synapse/rest/client/login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,15 @@ async def _complete_login(
user_id = canonical_uid

device_id = login_submission.get("device_id")

# If device_id is present, check that device_id is not longer than a reasonable 512 characters
if device_id and len(device_id) > 512:
raise LoginError(
400,
"device_id cannot be longer than 512 characters.",
errcode=Codes.INVALID_PARAM,
)

initial_display_name = login_submission.get("initial_device_display_name")
(
device_id,
Expand Down
27 changes: 26 additions & 1 deletion tests/rest/client/test_login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import json
import time
import urllib.parse
from typing import Any, Dict, List, Optional, Union
Expand Down Expand Up @@ -384,6 +384,31 @@ def test_session_can_hard_logout_all_sessions_after_being_soft_logged_out(
channel = self.make_request(b"POST", "/logout/all", access_token=access_token)
self.assertEqual(channel.result["code"], b"200", channel.result)

def test_login_with_overly_long_device_id_fails(self) -> None:
self.register_user("mickey", "cheese")

# create a device_id longer than 512 characters
device_id = "yolo" * 512

body = {
"type": "m.login.password",
"user": "mickey",
"password": "cheese",
"device_id": device_id,
}

# make a login request with the bad device_id
channel = self.make_request(
"POST",
"/_matrix/client/v3/login",
json.dumps(body).encode("utf8"),
custom_headers=None,
)

# test that the login fails with the correct error code
self.assertEqual(channel.code, 400)
self.assertEqual(channel.json_body["errcode"], "M_INVALID_PARAM")


@skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")
class MultiSSOTestCase(unittest.HomeserverTestCase):
Expand Down