Skip to content

Validate the body of requests to /keys/upload #17097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Oct 7, 2025
Merged

Validate the body of requests to /keys/upload #17097

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
3c0c30a
Ensure that uploaded keys are dicts
S7evinK Apr 16, 2024
67d516d
Run the linters again after changing the file
S7evinK Apr 16, 2024
9d2cd9f
Add newsfile
S7evinK Apr 16, 2024
f4c17c5
Merge branch 'develop' of github.com:element-hq/synapse into s7evink/…
S7evinK Sep 16, 2024
75a45e9
Merge branch 'develop' of github.com:element-hq/synapse into s7evink/…
S7evinK Oct 1, 2024
9c2d8fd
Merge branch 'develop' of github.com:element-hq/synapse into s7evink/…
S7evinK Nov 22, 2024
9385361
Ensure that uploaded keys are dicts
S7evinK Nov 22, 2024
34d6eba
Merge branch 'develop' of github.com:element-hq/synapse into HEAD
anoadragon453 Sep 18, 2025
b61527b
Validate requests to `/keys/upload` with pydantic
anoadragon453 Sep 30, 2025
0d4a081
Remove redundant validation
anoadragon453 Sep 30, 2025
ca0c87c
Move validation from the handler to the servlet
anoadragon453 Sep 30, 2025
88bc4bb
Add a regression unit test
anoadragon453 Sep 30, 2025
0eaf28f
Add further validation of key property format
anoadragon453 Sep 30, 2025
a0c6243
Merge branch 'develop' of github.com:element-hq/synapse into HEAD
anoadragon453 Oct 1, 2025
29fe51b
Use `body` directly for this endpoint
anoadragon453 Oct 1, 2025
fc4e3f3
Extend unit tests to cover new user_id, device_id validation
anoadragon453 Oct 1, 2025
ee9768c
Only validate device_keys fields when device keys are provided
anoadragon453 Oct 1, 2025
95900ef
Use `.keys()`
anoadragon453 Oct 7, 2025
b2b86cd
Fix "special" double-quotes
anoadragon453 Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/17097.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Extend validation of uploaded device keys.
31 changes: 23 additions & 8 deletions synapse/handlers/e2e_keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@

logger = logging.getLogger(__name__)


ONE_TIME_KEY_UPLOAD = "one_time_key_upload_lock"


Expand Down Expand Up @@ -821,15 +820,29 @@ async def upload_keys_for_user(

# TODO: Validate the JSON to make sure it has the right keys.
device_keys = keys.get("device_keys", None)
if device_keys:
await self.device_key_uploader(
user_id=user_id,
device_id=device_id,
keys={"device_keys": device_keys},
)
if device_keys and isinstance(device_keys, dict):
# Validate that user_id and device_id match the requesting user
if (
device_keys["user_id"] == user_id
and device_keys["device_id"] == device_id
):
await self.device_key_uploader(
user_id=user_id,
device_id=device_id,
keys={"device_keys": device_keys},
)
else:
log_kv(
{
"message": "Not updating device_keys for user, user_id or device_id mismatch",
"user_id": user_id,
}
)
else:
log_kv({"message": "Did not update device_keys", "reason": "not a dict"})

one_time_keys = keys.get("one_time_keys", None)
if one_time_keys:
if one_time_keys and isinstance(one_time_keys, dict):
log_kv(
{
"message": "Updating one_time_keys for device.",
Expand All @@ -840,6 +853,8 @@ async def upload_keys_for_user(
await self._upload_one_time_keys_for_user(
user_id, device_id, time_now, one_time_keys
)
elif one_time_keys:
log_kv({"message": "Did not update device_keys", "reason": "not a dict"})
else:
log_kv(
{"message": "Did not update one_time_keys", "reason": "no keys given"}
Expand Down
Loading