Change display names/avatar URLs to None if they contain null bytes before storing in DB #11230
Conversation
| @@ -1641,7 +1641,7 @@ def _store_room_members_txn(self, txn, events, backfilled): | |||
| """Store a room member in the database.""" | |||
|
|
|||
| def str_or_none(val: Any) -> Optional[str]: | |||
There was a problem hiding this comment.
I wonder if we should update the name of this now that it does more than ensuring it is a string? 🤷 It's a pretty simple function so not a big deal.
There was a problem hiding this comment.
I updated the name, let me know if you think it's a little clearer.
I did test locally that the function that was changed, |
@DMRobertson: I added a test that I don't think we should permanently add, it's more of a proof-of-concept that the change works. The test is pretty ugly-I couldn't figure out how to get access to the function I was testing so I copied it over. Nevertheless, the test as it is breaks (on postgres only) in the same way as the error message of the issue that is being addressed without the code change, and passes when the change is added. Let me know if you think this is sufficient! |
I had in mind a test that would try to reproduce the issue from the "outside". My (rough!) understanding of the issue is that
The last two bullets are what we're keen to test here. From a bit of reading, it looks like we can call I think the test wants to do something like self.get_success(
self.hs.get_storage().persistence.persist_event(...)
)If I understand right, that should fail before your change and succeed after your change. The test should also confirm that the user's event and avatar are correctly stored to the DB, using e.g. Does that make sense? Being honest, I think the above is probably overkill for a small change like this. (I just like to have a test that proves we've made the right change.) If the above is tricky and just eating up time, we can drop it. |
|
An alternative approach with the testing would be to do it quite a long way from the outside using the test helpers that do the REST requests — I know it's not very unit test-like, but it's useful information to know that the overall request doesn't fail if a user joins a room, sets their name & avatar URL to have null bytes in, and so on. (Thinking about it, that could be a useful addition to Complement since other HS implementations might also get bitten by null bytes.) |
tests/storage/test_roommember.py
Outdated
| # pass event to _store_room_members_txn and verify that it doesn't blow up | ||
| self.get_success( | ||
| self.store.db_pool.runInteraction( | ||
| "store room members", _store_room_members_txn, [event], False |
There was a problem hiding this comment.
| "store room members", _store_room_members_txn, [event], False | |
| "store room members", self.hs.get_storage().persistence.persist_events_store._store_room_members_txn, [event], False |
That one was hard to dig up, but doing this lets you avoid copying the function (so there won't be any chance we forget to copy it into the test if we change/break it in the future)
There was a problem hiding this comment.
I don't know if you really need to test this function explicitly/individually if you properly demonstrate that self.helper.change_membership( (as discussed in another thread) works (assuming it didn't work before!).
There was a problem hiding this comment.
Thanks for showing how to access _store_room_members_txn-even though it seems like it's not necessary to call now-I really scratched my head over how to get access to it so I appreciate being shown the answer!
There was a problem hiding this comment.
Haha, no worries, it took me a little bit of digging too :). Everytime I look in the data storage stuff I find out about a new angle I hadn't seen before.
I think the reason is that the event persistence store is separate from the rest, since it was hoped at once point that it could be split out into a separate database?
There was a problem hiding this comment.
Oh interesting-thanks for pointing that out.
tests/storage/test_roommember.py
Outdated
| bob_event = self.get_success( | ||
| event_injection.inject_member_event( | ||
| self.hs, room, self.u_bob, Membership.JOIN | ||
| ) | ||
| ) | ||
|
|
||
| # Create an event with a null-containing string to pass to _store_room_members_txn | ||
| event, context = self.get_success( | ||
| event_injection.create_event( | ||
| self.hs, | ||
| room_id=room, | ||
| sender=self.u_alice, | ||
| prev_event_ids=[bob_event.event_id], | ||
| type="m.test.1", | ||
| content={"displayname": "bad\u0000null", "membership": Membership.JOIN}, | ||
| ) | ||
| ) |
There was a problem hiding this comment.
I usually prefer to avoid injecting events if you can avoid it (reserve that for when you need invalid events to be persisted for some reason, or to pretend you received one over federation).
Since you have alice's access token and everything, you can use something like
new_profile = {"displayname": "ali\u0000ce"}
self.helper.change_membership(
room, self.u_alice, self.u_alice, "join", extra_data=new_profile, tok=self.t_alice
)
There was a problem hiding this comment.
The call to change_membership does indeed break without the change I made to _store_room_members_txn and passes with the change, so hopefully this is sufficient? Thanks for pointing out the use cases for injecting events, it's helpful to be told these sorts of things :)
There was a problem hiding this comment.
Maybe it would be worth also querying the state of the database and checking that they contain Nones instead of something else.
(It just feels weird to have an assert-less test in some strange way, but it's also worth noting that the behaviour is replacing the name with None rather than e.g. leaving it as it was before, if that makes sense?)
There was a problem hiding this comment.
Totally makes sense, I shall give that a go.
tests/storage/test_roommember.py
Outdated
| res = self.get_success( | ||
| self.store.db_pool.simple_select_onecol( | ||
| "room_memberships", {"user_id": "@alice:test"}, "display_name" | ||
| ) | ||
| ) | ||
| # verify that the display name was alice before change in membership | ||
| self.assertEqual(res[0], "alice") | ||
| # verify that it is now None | ||
| self.assertEqual(res[1], None) |
There was a problem hiding this comment.
Bah, slight problem here is that this is probably fine for tests, but it's relying on the database returning the rows in insertion order.
SQLite secretly maintains a 'rowid' (row ID) per row and stores rows in a B* tree keyed by those, so I can see it returning them in insertion order.
I assume Postgres does something similar — basically, returning them in order of insertion is 'easiest' for this query (it'd be more work to jumble them up) so I reckon this test will work!
(If the database was using an index to retrieve the rows, then it would probably return them in order of that index)
However, nothing guarantees that these databases will do that. I think a notable time that databases will violate this insertion order is if some rows get deleted and the database shuffles things around (e.g. Postgres' VACUUM; SQLite can recycles rowids afaik and SQLite will generate rowids somewhat randomly if you reach the limit).
I was curious about SQLite's VACUUM and in my case it kept the order when vacuuming, seemingly just rewriting rowids, oh well (I was hoping for some rows to be dramatically reordered! :P).
sqlite> create table tab1 (val TEXT);
sqlite> insert into tab1 values ("a"), ("b"), ("c");
sqlite> select rowid, val from tab1;
1|a
2|b
3|c
sqlite> delete from tab1 where val = "b";
sqlite> insert into tab1 values ("d"), ("e"), ("f");
sqlite> select rowid, val from tab1;
1|a
3|c
4|d
5|e
6|f
sqlite> vacuum;
sqlite> select rowid, val from tab1;
1|a
2|c
3|d
4|e
5|fAnyway, excuse the tangent, but this is the kind of thing that has the tendency to bite you in the bum :(.
I think what I'd do here is:
- select from
room_membershipsbefore changing Alice's name- check your preconditions and make a note of the event_id
- update the name
- select from
room_membershipsagain, filtering out the row with the event_id you had before and check your postcondition
Check the expected number of rows at each step to make sure that if we get more rows for some reason, they don't cause confusion in the future when the test breaks and some poor soul has to figure out why :p.
I'd probably use a list comprehension to do the filtering in Python (mostly since doing it in SQL here is a pain and it's not as though it's performance sensitive since it's a test), something like that:
rows = [
row for row in rows if row["event_id"] != first_event_id
]
H-Shay
requested review from
reivilibre
and removed request for
DMRobertson and
squahtx
Synapse 1.48.0 (2021-11-30) =========================== This release removes support for the long-deprecated `trust_identity_server_for_password_resets` configuration flag. This release also fixes some performance issues with some background database updates introduced in Synapse 1.47.0. No significant changes since 1.48.0rc1. Synapse 1.48.0rc1 (2021-11-25) ============================== Features -------- - Experimental support for the thread relation defined in [MSC3440](matrix-org/matrix-spec-proposals#3440). ([\#11161](matrix-org/synapse#11161)) - Support filtering by relation senders & types per [MSC3440](matrix-org/matrix-spec-proposals#3440). ([\#11236](matrix-org/synapse#11236)) - Add support for the `/_matrix/client/v3` and `/_matrix/media/v3` APIs from Matrix v1.1. ([\#11318](matrix-org/synapse#11318), [\#11371](matrix-org/synapse#11371)) - Support the stable version of [MSC2778](matrix-org/matrix-spec-proposals#2778): the `m.login.application_service` login type. Contributed by @tulir. ([\#11335](matrix-org/synapse#11335)) - Add a new version of delete room admin API `DELETE /_synapse/admin/v2/rooms/<room_id>` to run it in the background. Contributed by @dklimpel. ([\#11223](matrix-org/synapse#11223)) - Allow the admin [Delete Room API](https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#delete-room-api) to block a room without the need to join it. ([\#11228](matrix-org/synapse#11228)) - Add an admin API to un-shadow-ban a user. ([\#11347](matrix-org/synapse#11347)) - Add an admin API to run background database schema updates. ([\#11352](matrix-org/synapse#11352)) - Add an admin API for blocking a room. ([\#11324](matrix-org/synapse#11324)) - Update the JWT login type to support custom a `sub` claim. ([\#11361](matrix-org/synapse#11361)) - Store and allow querying of arbitrary event relations. ([\#11391](matrix-org/synapse#11391)) Bugfixes -------- - Fix a long-standing bug wherein display names or avatar URLs containing null bytes cause an internal server error when stored in the DB. ([\#11230](matrix-org/synapse#11230)) - Prevent [MSC2716](matrix-org/matrix-spec-proposals#2716) historical state events from being pushed to an application service via `/transactions`. ([\#11265](matrix-org/synapse#11265)) - Fix a long-standing bug where uploading extremely thin images (e.g. 1000x1) would fail. Contributed by @Neeeflix. ([\#11288](matrix-org/synapse#11288)) - Fix a bug, introduced in Synapse 1.46.0, which caused the `check_3pid_auth` and `on_logged_out` callbacks in legacy password authentication provider modules to not be registered. Modules using the generic module interface were not affected. ([\#11340](matrix-org/synapse#11340)) - Fix a bug introduced in 1.41.0 where space hierarchy responses would be incorrectly reused if multiple users were to make the same request at the same time. ([\#11355](matrix-org/synapse#11355)) - Fix a bug introduced in 1.45.0 where the `read_templates` method of the module API would error. ([\#11377](matrix-org/synapse#11377)) - Fix an issue introduced in 1.47.0 which prevented servers re-joining rooms they had previously left, if their signing keys were replaced. ([\#11379](matrix-org/synapse#11379)) - Fix a bug introduced in 1.13.0 where creating and publishing a room could cause errors if `room_list_publication_rules` is configured. ([\#11392](matrix-org/synapse#11392)) - Improve performance of various background database updates. ([\#11421](matrix-org/synapse#11421), [\#11422](matrix-org/synapse#11422)) Improved Documentation ---------------------- - Suggest users of the Debian packages add configuration to `/etc/matrix-synapse/conf.d/` to prevent, upon upgrade, being asked to choose between their configuration and the maintainer's. ([\#11281](matrix-org/synapse#11281)) - Fix typos in the documentation for the `username_available` admin API. Contributed by Stanislav Motylkov. ([\#11286](matrix-org/synapse#11286)) - Add Single Sign-On, SAML and CAS pages to the documentation. ([\#11298](matrix-org/synapse#11298)) - Change the word 'Home server' as one word 'homeserver' in documentation. ([\#11320](matrix-org/synapse#11320)) - Fix missing quotes for wildcard domains in `federation_certificate_verification_whitelist`. ([\#11381](matrix-org/synapse#11381)) Deprecations and Removals ------------------------- - Remove deprecated `trust_identity_server_for_password_resets` configuration flag. ([\#11333](matrix-org/synapse#11333), [\#11395](matrix-org/synapse#11395)) Internal Changes ---------------- - Add type annotations to `synapse.metrics`. ([\#10847](matrix-org/synapse#10847)) - Split out federated PDU retrieval function into a non-cached version. ([\#11242](matrix-org/synapse#11242)) - Clean up code relating to to-device messages and sending ephemeral events to application services. ([\#11247](matrix-org/synapse#11247)) - Fix a small typo in the error response when a relation type other than 'm.annotation' is passed to `GET /rooms/{room_id}/aggregations/{event_id}`. ([\#11278](matrix-org/synapse#11278)) - Drop unused database tables `room_stats_historical` and `user_stats_historical`. ([\#11280](matrix-org/synapse#11280)) - Require all files in synapse/ and tests/ to pass mypy unless specifically excluded. ([\#11282](matrix-org/synapse#11282), [\#11285](matrix-org/synapse#11285), [\#11359](matrix-org/synapse#11359)) - Add missing type hints to `synapse.app`. ([\#11287](matrix-org/synapse#11287)) - Remove unused parameters on `FederationEventHandler._check_event_auth`. ([\#11292](matrix-org/synapse#11292)) - Add type hints to `synapse._scripts`. ([\#11297](matrix-org/synapse#11297)) - Fix an issue which prevented the `remove_deleted_devices_from_device_inbox` background database schema update from running when updating from a recent Synapse version. ([\#11303](matrix-org/synapse#11303)) - Add type hints to storage classes. ([\#11307](matrix-org/synapse#11307), [\#11310](matrix-org/synapse#11310), [\#11311](matrix-org/synapse#11311), [\#11312](matrix-org/synapse#11312), [\#11313](matrix-org/synapse#11313), [\#11314](matrix-org/synapse#11314), [\#11316](matrix-org/synapse#11316), [\#11322](matrix-org/synapse#11322), [\#11332](matrix-org/synapse#11332), [\#11339](matrix-org/synapse#11339), [\#11342](matrix-org/synapse#11342)) - Add type hints to `synapse.util`. ([\#11321](matrix-org/synapse#11321), [\#11328](matrix-org/synapse#11328)) - Improve type annotations in Synapse's test suite. ([\#11323](matrix-org/synapse#11323), [\#11330](matrix-org/synapse#11330)) - Test that room alias deletion works as intended. ([\#11327](matrix-org/synapse#11327)) - Add type annotations for some methods and properties in the module API. ([\#11341](matrix-org/synapse#11341)) - Fix running `scripts-dev/complement.sh`, which was broken in v1.47.0rc1. ([\#11368](matrix-org/synapse#11368)) - Rename internal functions for token generation to better reflect what they do. ([\#11369](matrix-org/synapse#11369), [\#11370](matrix-org/synapse#11370)) - Add type hints to configuration classes. ([\#11377](matrix-org/synapse#11377)) - Publish a `develop` image to Docker Hub. ([\#11380](matrix-org/synapse#11380)) - Keep fallback key marked as used if it's re-uploaded. ([\#11382](matrix-org/synapse#11382)) - Use `auto_attribs` on the `attrs` class `RefreshTokenLookupResult`. ([\#11386](matrix-org/synapse#11386)) - Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens. ([\#11388](matrix-org/synapse#11388)) - Do not run the broken MSC2716 tests when running `scripts-dev/complement.sh`. ([\#11389](matrix-org/synapse#11389)) - Remove dead code from supporting ACME. ([\#11393](matrix-org/synapse#11393)) - Refactor including the bundled relations when serializing an event. ([\#11408](matrix-org/synapse#11408))
Synapse 1.48.0 (2021-11-30) =========================== This release removes support for the long-deprecated `trust_identity_server_for_password_resets` configuration flag. This release also fixes some performance issues with some background database updates introduced in Synapse 1.47.0. No significant changes since 1.48.0rc1. Synapse 1.48.0rc1 (2021-11-25) ============================== Features -------- - Experimental support for the thread relation defined in [MSC3440](matrix-org/matrix-spec-proposals#3440). ([\matrix-org#11161](matrix-org#11161)) - Support filtering by relation senders & types per [MSC3440](matrix-org/matrix-spec-proposals#3440). ([\matrix-org#11236](matrix-org#11236)) - Add support for the `/_matrix/client/v3` and `/_matrix/media/v3` APIs from Matrix v1.1. ([\matrix-org#11318](matrix-org#11318), [\matrix-org#11371](matrix-org#11371)) - Support the stable version of [MSC2778](matrix-org/matrix-spec-proposals#2778): the `m.login.application_service` login type. Contributed by @tulir. ([\matrix-org#11335](matrix-org#11335)) - Add a new version of delete room admin API `DELETE /_synapse/admin/v2/rooms/<room_id>` to run it in the background. Contributed by @dklimpel. ([\matrix-org#11223](matrix-org#11223)) - Allow the admin [Delete Room API](https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#delete-room-api) to block a room without the need to join it. ([\matrix-org#11228](matrix-org#11228)) - Add an admin API to un-shadow-ban a user. ([\matrix-org#11347](matrix-org#11347)) - Add an admin API to run background database schema updates. ([\matrix-org#11352](matrix-org#11352)) - Add an admin API for blocking a room. ([\matrix-org#11324](matrix-org#11324)) - Update the JWT login type to support custom a `sub` claim. ([\matrix-org#11361](matrix-org#11361)) - Store and allow querying of arbitrary event relations. ([\matrix-org#11391](matrix-org#11391)) Bugfixes -------- - Fix a long-standing bug wherein display names or avatar URLs containing null bytes cause an internal server error when stored in the DB. ([\matrix-org#11230](matrix-org#11230)) - Prevent [MSC2716](matrix-org/matrix-spec-proposals#2716) historical state events from being pushed to an application service via `/transactions`. ([\matrix-org#11265](matrix-org#11265)) - Fix a long-standing bug where uploading extremely thin images (e.g. 1000x1) would fail. Contributed by @Neeeflix. ([\matrix-org#11288](matrix-org#11288)) - Fix a bug, introduced in Synapse 1.46.0, which caused the `check_3pid_auth` and `on_logged_out` callbacks in legacy password authentication provider modules to not be registered. Modules using the generic module interface were not affected. ([\matrix-org#11340](matrix-org#11340)) - Fix a bug introduced in 1.41.0 where space hierarchy responses would be incorrectly reused if multiple users were to make the same request at the same time. ([\matrix-org#11355](matrix-org#11355)) - Fix a bug introduced in 1.45.0 where the `read_templates` method of the module API would error. ([\matrix-org#11377](matrix-org#11377)) - Fix an issue introduced in 1.47.0 which prevented servers re-joining rooms they had previously left, if their signing keys were replaced. ([\matrix-org#11379](matrix-org#11379)) - Fix a bug introduced in 1.13.0 where creating and publishing a room could cause errors if `room_list_publication_rules` is configured. ([\matrix-org#11392](matrix-org#11392)) - Improve performance of various background database updates. ([\matrix-org#11421](matrix-org#11421), [\matrix-org#11422](matrix-org#11422)) Improved Documentation ---------------------- - Suggest users of the Debian packages add configuration to `/etc/matrix-synapse/conf.d/` to prevent, upon upgrade, being asked to choose between their configuration and the maintainer's. ([\matrix-org#11281](matrix-org#11281)) - Fix typos in the documentation for the `username_available` admin API. Contributed by Stanislav Motylkov. ([\matrix-org#11286](matrix-org#11286)) - Add Single Sign-On, SAML and CAS pages to the documentation. ([\matrix-org#11298](matrix-org#11298)) - Change the word 'Home server' as one word 'homeserver' in documentation. ([\matrix-org#11320](matrix-org#11320)) - Fix missing quotes for wildcard domains in `federation_certificate_verification_whitelist`. ([\matrix-org#11381](matrix-org#11381)) Deprecations and Removals ------------------------- - Remove deprecated `trust_identity_server_for_password_resets` configuration flag. ([\matrix-org#11333](matrix-org#11333), [\matrix-org#11395](matrix-org#11395)) Internal Changes ---------------- - Add type annotations to `synapse.metrics`. ([\matrix-org#10847](matrix-org#10847)) - Split out federated PDU retrieval function into a non-cached version. ([\matrix-org#11242](matrix-org#11242)) - Clean up code relating to to-device messages and sending ephemeral events to application services. ([\matrix-org#11247](matrix-org#11247)) - Fix a small typo in the error response when a relation type other than 'm.annotation' is passed to `GET /rooms/{room_id}/aggregations/{event_id}`. ([\matrix-org#11278](matrix-org#11278)) - Drop unused database tables `room_stats_historical` and `user_stats_historical`. ([\matrix-org#11280](matrix-org#11280)) - Require all files in synapse/ and tests/ to pass mypy unless specifically excluded. ([\matrix-org#11282](matrix-org#11282), [\matrix-org#11285](matrix-org#11285), [\matrix-org#11359](matrix-org#11359)) - Add missing type hints to `synapse.app`. ([\matrix-org#11287](matrix-org#11287)) - Remove unused parameters on `FederationEventHandler._check_event_auth`. ([\matrix-org#11292](matrix-org#11292)) - Add type hints to `synapse._scripts`. ([\matrix-org#11297](matrix-org#11297)) - Fix an issue which prevented the `remove_deleted_devices_from_device_inbox` background database schema update from running when updating from a recent Synapse version. ([\matrix-org#11303](matrix-org#11303)) - Add type hints to storage classes. ([\matrix-org#11307](matrix-org#11307), [\matrix-org#11310](matrix-org#11310), [\matrix-org#11311](matrix-org#11311), [\matrix-org#11312](matrix-org#11312), [\matrix-org#11313](matrix-org#11313), [\matrix-org#11314](matrix-org#11314), [\matrix-org#11316](matrix-org#11316), [\matrix-org#11322](matrix-org#11322), [\matrix-org#11332](matrix-org#11332), [\matrix-org#11339](matrix-org#11339), [\matrix-org#11342](matrix-org#11342)) - Add type hints to `synapse.util`. ([\matrix-org#11321](matrix-org#11321), [\matrix-org#11328](matrix-org#11328)) - Improve type annotations in Synapse's test suite. ([\matrix-org#11323](matrix-org#11323), [\matrix-org#11330](matrix-org#11330)) - Test that room alias deletion works as intended. ([\matrix-org#11327](matrix-org#11327)) - Add type annotations for some methods and properties in the module API. ([\matrix-org#11341](matrix-org#11341)) - Fix running `scripts-dev/complement.sh`, which was broken in v1.47.0rc1. ([\matrix-org#11368](matrix-org#11368)) - Rename internal functions for token generation to better reflect what they do. ([\matrix-org#11369](matrix-org#11369), [\matrix-org#11370](matrix-org#11370)) - Add type hints to configuration classes. ([\matrix-org#11377](matrix-org#11377)) - Publish a `develop` image to Docker Hub. ([\matrix-org#11380](matrix-org#11380)) - Keep fallback key marked as used if it's re-uploaded. ([\matrix-org#11382](matrix-org#11382)) - Use `auto_attribs` on the `attrs` class `RefreshTokenLookupResult`. ([\matrix-org#11386](matrix-org#11386)) - Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens. ([\matrix-org#11388](matrix-org#11388)) - Do not run the broken MSC2716 tests when running `scripts-dev/complement.sh`. ([\matrix-org#11389](matrix-org#11389)) - Remove dead code from supporting ACME. ([\matrix-org#11393](matrix-org#11393)) - Refactor including the bundled relations when serializing an event. ([\matrix-org#11408](matrix-org#11408))
Hopefully fixes #10886, the change seems quite simple but I could be missing something here!