Avoid temporary storage of sensitive information. (#16272)

During the UI auth process, avoid storing sensitive information into the database.

Avoid temporary storage of sensitive information. (#16272)
69b74d93 · Patrick Cloke · GitHub · 583d5963 · 69b74d93 · 69b74d93
Unverified Commit 69b74d93 authored 1 year ago by Patrick Cloke Committed by GitHub 1 year ago
--- a/changelog.d/16272.bugfix
+++ b/changelog.d/16272.bugfix
+Avoid temporary storage of sensitive information.
--- a/synapse/rest/client/account.py
+++ b/synapse/rest/client/account.py
@@ -186,7 +186,7 @@ class PasswordRestServlet(RestServlet):
                params, session_id = await self.auth_handler.validate_user_via_ui_auth(
                    requester,
                    request,
-                    body.dict(exclude_unset=True),
+                    body.dict(exclude_unset=True, exclude={"new_password"}),
                    "modify your account password",
                )
                user_id = requester.user.to_string()
@@ -194,7 +194,7 @@ class PasswordRestServlet(RestServlet):
                result, params, session_id = await self.auth_handler.check_ui_auth(
                    [[LoginType.EMAIL_IDENTITY]],
                    request,
-                    body.dict(exclude_unset=True),
+                    body.dict(exclude_unset=True, exclude={"new_password"}),
                    "modify your account password",
                )

--- a/tests/rest/client/test_account.py
+++ b/tests/rest/client/test_account.py
@@ -31,6 +31,7 @@ from synapse.rest import admin
 from synapse.rest.client import account, login, register, room
 from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
 from synapse.server import HomeServer
+from synapse.storage._base import db_to_json
 from synapse.types import JsonDict, UserID
 from synapse.util import Clock
@@ -134,6 +135,18 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
        # Assert we can't log in with the old password
        self.attempt_wrong_password_login("kermit", old_password)
+        # Check that the UI Auth information doesn't store the password in the database.
+        #
+        # Note that we don't have the UI Auth session ID, so just pull out the single
+        # row.
+        ui_auth_data = self.get_success(
+            self.store.db_pool.simple_select_one(
+                "ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
+            )
+        )
+        client_dict = db_to_json(ui_auth_data["clientdict"])
+        self.assertNotIn("new_password", client_dict)
    @override_config({"rc_3pid_validation": {"burst_count": 3}})
    def test_ratelimit_by_email(self) -> None:
        """Test that we ratelimit /requestToken for the same email."""