Limit `device_id` size to 512B (#12454)

*
This commit is contained in:
Shay 2022-04-13 10:04:01 -07:00 committed by GitHub
parent 0922462fc7
commit 8e2759f2d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 1 deletions

1
changelog.d/12454.misc Normal file
View File

@ -0,0 +1 @@
Limit length of device_id to less than 512 characters.

View File

@ -342,6 +342,15 @@ class LoginRestServlet(RestServlet):
user_id = canonical_uid user_id = canonical_uid
device_id = login_submission.get("device_id") device_id = login_submission.get("device_id")
# If device_id is present, check that device_id is not longer than a reasonable 512 characters
if device_id and len(device_id) > 512:
raise LoginError(
400,
"device_id cannot be longer than 512 characters.",
errcode=Codes.INVALID_PARAM,
)
initial_display_name = login_submission.get("initial_device_display_name") initial_display_name = login_submission.get("initial_device_display_name")
( (
device_id, device_id,

View File

@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import json
import time import time
import urllib.parse import urllib.parse
from typing import Any, Dict, List, Optional, Union from typing import Any, Dict, List, Optional, Union
@ -384,6 +384,31 @@ class LoginRestServletTestCase(unittest.HomeserverTestCase):
channel = self.make_request(b"POST", "/logout/all", access_token=access_token) channel = self.make_request(b"POST", "/logout/all", access_token=access_token)
self.assertEqual(channel.result["code"], b"200", channel.result) self.assertEqual(channel.result["code"], b"200", channel.result)
def test_login_with_overly_long_device_id_fails(self) -> None:
self.register_user("mickey", "cheese")
# create a device_id longer than 512 characters
device_id = "yolo" * 512
body = {
"type": "m.login.password",
"user": "mickey",
"password": "cheese",
"device_id": device_id,
}
# make a login request with the bad device_id
channel = self.make_request(
"POST",
"/_matrix/client/v3/login",
json.dumps(body).encode("utf8"),
custom_headers=None,
)
# test that the login fails with the correct error code
self.assertEqual(channel.code, 400)
self.assertEqual(channel.json_body["errcode"], "M_INVALID_PARAM")
@skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC") @skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")
class MultiSSOTestCase(unittest.HomeserverTestCase): class MultiSSOTestCase(unittest.HomeserverTestCase):