Sanity check identity server passed to bind/unbind. (#9802)

Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
author: Denis Kasak <dkasak@termina.org.uk> 2021-04-19 16:21:46 +0000
committer: GitHub <noreply@github.com> 2021-04-19 17:21:46 +0100
commit: e694a598f8c948ad177e897c5bedaa71a47add29 (patch)
tree: 11a5ff900666d5aa77258ced554a20cb129975f3 /synapse/handlers
parent: Don't send normal presence updates over federation replication stream (#9828) (diff)
download: synapse-e694a598f8c948ad177e897c5bedaa71a47add29.tar.xz
1 files changed, 26 insertions, 3 deletions
diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py
index 87a8b89237..0b3b1fadb5 100644
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@@ -15,7 +15,6 @@
 # limitations under the License.
 
 """Utilities for interacting with Identity Servers"""
-
 import logging
 import urllib.parse
 from typing import Awaitable, Callable, Dict, List, Optional, Tuple
@@ -34,7 +33,11 @@ from synapse.http.site import SynapseRequest
 from synapse.types import JsonDict, Requester
 from synapse.util import json_decoder
 from synapse.util.hash import sha256_and_url_safe_base64
-from synapse.util.stringutils import assert_valid_client_secret, random_string
+from synapse.util.stringutils import (
+    assert_valid_client_secret,
+    random_string,
+    valid_id_server_location,
+)
 
 from ._base import BaseHandler
 
@@ -172,6 +175,11 @@ class IdentityHandler(BaseHandler):
                 server with, if necessary. Required if use_v2 is true
             use_v2: Whether to use v2 Identity Service API endpoints. Defaults to True
 
+        Raises:
+            SynapseError: On any of the following conditions
+                - the supplied id_server is not a valid identity server name
+                - we failed to contact the supplied identity server
+
         Returns:
             The response from the identity server
         """
@@ -181,6 +189,12 @@ class IdentityHandler(BaseHandler):
         if id_access_token is None:
             use_v2 = False
 
+        if not valid_id_server_location(id_server):
+            raise SynapseError(
+                400,
+                "id_server must be a valid hostname with optional port and path components",
+            )
+
         # Decide which API endpoint URLs to use
         headers = {}
         bind_data = {"sid": sid, "client_secret": client_secret, "mxid": mxid}
@@ -269,12 +283,21 @@ class IdentityHandler(BaseHandler):
             id_server: Identity server to unbind from
 
         Raises:
-            SynapseError: If we failed to contact the identity server
+            SynapseError: On any of the following conditions
+                - the supplied id_server is not a valid identity server name
+                - we failed to contact the supplied identity server
 
         Returns:
             True on success, otherwise False if the identity
             server doesn't support unbinding
         """
+
+        if not valid_id_server_location(id_server):
+            raise SynapseError(
+                400,
+                "id_server must be a valid hostname with optional port and path components",
+            )
+
         url = "https://%s/_matrix/identity/api/v1/3pid/unbind" % (id_server,)
         url_bytes = "/_matrix/identity/api/v1/3pid/unbind".encode("ascii")
author	Denis Kasak <dkasak@termina.org.uk>	2021-04-19 16:21:46 +0000
committer	GitHub <noreply@github.com>	2021-04-19 17:21:46 +0100
commit	e694a598f8c948ad177e897c5bedaa71a47add29 (patch)
tree	11a5ff900666d5aa77258ced554a20cb129975f3 /synapse/handlers
parent	Don't send normal presence updates over federation replication stream (#9828) (diff)
download	synapse-e694a598f8c948ad177e897c5bedaa71a47add29.tar.xz