/createRoom: "ValueError: A string literal cannot contain NUL (0x00) characters." when \u0000 is sent in "room_alias_name"

[MTRNord]

Description

/_matrix/client/v3/createRoom is crashing with an internal server error when it contains NUL characters.

The request (minimal working example) was made with this content:

{"name":"a","room_alias_name":"\u0000","visibility":"public","is_direct":false,"topic":"null_in_room"}

This does not seem to actually break anything apart from the crash error and {"errcode":"M_UNKNOWN","error":"Internal server error"} as the response.

Steps to reproduce

• Send a request to /_matrix/client/v3/createRoom with {"name":"a","room_alias_name":"\u0000","visibility":"public","is_direct":false,"topic":"null_in_room"} as the content
• Watch logs to see it crash

Homeserver

localhost

Synapse Version

{"server_version":"1.64.0","python_version":"3.9.13"}

Installation Method

Docker (matrixdotorg/synapse)

Platform

Kubernetes with official docker image and redis and postgres

Relevant log output

2022-08-11 20:56:19,456 - synapse.http.server - 183 - ERROR - POST-2334- Failed handle request via 'RoomCreateRestServlet': <XForwardedForRequest at 0x7f540e6e3fa0 method='POST' uri='/_matrix/client/r0/createRoom' clientproto='HTTP/1.1' site='8008'>
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/synapse/http/server.py", line 366, in _async_render_wrapper
    callback_return = await self._async_render(request)
  File "/usr/local/lib/python3.9/site-packages/synapse/http/server.py", line 572, in _async_render
    callback_return = await raw_callback_return
  File "/usr/local/lib/python3.9/site-packages/synapse/rest/client/room.py", line 91, in on_POST
    info, _ = await self._room_creation_handler.create_room(
  File "/usr/local/lib/python3.9/site-packages/synapse/handlers/room.py", line 785, in create_room
    mapping = await self.store.get_association_from_room_alias(room_alias)
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/databases/main/directory.py", line 45, in get_association_from_room_alias
    room_id = await self.db_pool.simple_select_one_onecol(
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 1614, in simple_select_one_onecol
    return await self.runInteraction(
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 882, in runInteraction
    return await delay_cancellation(_runInteraction())
  File "/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py", line 1656, in _inlineCallbacks
    result = current_context.run(
  File "/usr/local/lib/python3.9/site-packages/twisted/python/failure.py", line 514, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 849, in _runInteraction
    result = await self.runWithConnection(
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 977, in runWithConnection
    return await make_deferred_yieldable(
  File "/usr/local/lib/python3.9/site-packages/twisted/python/threadpool.py", line 244, in inContext
    result = inContext.theWork()  # type: ignore[attr-defined]
  File "/usr/local/lib/python3.9/site-packages/twisted/python/threadpool.py", line 260, in <lambda>
    inContext.theWork = lambda: context.call(  # type: ignore[attr-defined]
  File "/usr/local/lib/python3.9/site-packages/twisted/python/context.py", line 117, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python3.9/site-packages/twisted/python/context.py", line 82, in callWithContext
    return func(*args, **kw)
  File "/usr/local/lib/python3.9/site-packages/twisted/enterprise/adbapi.py", line 282, in _runWithConnection
    result = func(conn, *args, **kw)
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 970, in inner_func
    return func(db_conn, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 711, in new_transaction
    r = func(cursor, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 1657, in simple_select_one_onecol_txn
    ret = cls.simple_select_onecol_txn(
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 1680, in simple_select_onecol_txn
    txn.execute(sql, list(keyvalues.values()))
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 389, in execute
    self._do_execute(self.txn.execute, sql, *args)
  File "/usr/local/lib/python3.9/site-packages/synapse/storage/database.py", line 432, in _do_execute
    return func(sql, *args, **kwargs)
ValueError: A string literal cannot contain NUL (0x00) characters.

Anything else that would be useful to know?

No response

[MTRNord]

Additionally it seems to only be happening with that key. All others do not cause the crash

[DMRobertson]

We should catch this at the rest level and return 400,

[DMRobertson]

Similar to e.g. #10886 and #9341 and probably others.

[MTRNord]

Hi :)

I might want to work on this as I am fuzzing again and its easier to fix the issue than to fix the fuzzer :D

I am wondering: What is the best error json for this? Would {"errorcode": "M_UNKNOWN", "error": "NUL characters not supported"} be sufficient for this?

[DMRobertson]

I would suggest

• M_INVALID_PARAM
• explicitly specifying where the null codepoint originates from, i.e. which request field.