summary refs log tree commit diff
path: root/tests/rest
diff options
context:
space:
mode:
authorPatrick Cloke <clokep@users.noreply.github.com>2023-09-08 08:57:56 -0400
committerGitHub <noreply@github.com>2023-09-08 08:57:56 -0400
commit69b74d9330e42fc91a9c7423d00a06cd6d3732bf (patch)
tree7140c417741cea23e32ac1ac6cd05d907bbf60b4 /tests/rest
parentRaise setuptools_rust version cap to 1.7.0 (#16277) (diff)
downloadsynapse-69b74d9330e42fc91a9c7423d00a06cd6d3732bf.tar.xz
Avoid temporary storage of sensitive information. (#16272)
During the UI auth process, avoid storing sensitive information
into the database.
Diffstat (limited to 'tests/rest')
-rw-r--r--tests/rest/client/test_account.py13
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/rest/client/test_account.py b/tests/rest/client/test_account.py
index e9f495e206..4a0eca5b30 100644
--- a/tests/rest/client/test_account.py
+++ b/tests/rest/client/test_account.py
@@ -31,6 +31,7 @@ from synapse.rest import admin
 from synapse.rest.client import account, login, register, room
 from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
 from synapse.server import HomeServer
+from synapse.storage._base import db_to_json
 from synapse.types import JsonDict, UserID
 from synapse.util import Clock
 
@@ -134,6 +135,18 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
         # Assert we can't log in with the old password
         self.attempt_wrong_password_login("kermit", old_password)
 
+        # Check that the UI Auth information doesn't store the password in the database.
+        #
+        # Note that we don't have the UI Auth session ID, so just pull out the single
+        # row.
+        ui_auth_data = self.get_success(
+            self.store.db_pool.simple_select_one(
+                "ui_auth_sessions", keyvalues={}, retcols=("clientdict",)
+            )
+        )
+        client_dict = db_to_json(ui_auth_data["clientdict"])
+        self.assertNotIn("new_password", client_dict)
+
     @override_config({"rc_3pid_validation": {"burst_count": 3}})
     def test_ratelimit_by_email(self) -> None:
         """Test that we ratelimit /requestToken for the same email."""