From ea26eee61966916707e216b0db26f21812c63131 Mon Sep 17 00:00:00 2001
From: David Robertson <davidr@element.io>
Date: Fri, 16 Sep 2022 18:05:28 +0100
Subject: [PATCH 1/3] Validation for `/add_threepid/msisdn/submit_token`

---
 synapse/rest/client/account.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/synapse/rest/client/account.py b/synapse/rest/client/account.py
index 2db2a04f95df..9af8dbda1509 100644
--- a/synapse/rest/client/account.py
+++ b/synapse/rest/client/account.py
@@ -534,6 +534,11 @@ class AddThreepidMsisdnSubmitTokenServlet(RestServlet):
         "/add_threepid/msisdn/submit_token$", releases=(), unstable=True
     )
 
+    class PostBody(RequestBodyModel):
+        client_secret: ClientSecretStr
+        sid: StrictStr
+        token: StrictStr
+
     def __init__(self, hs: "HomeServer"):
         super().__init__()
         self.config = hs.config
@@ -549,16 +554,14 @@ async def on_POST(self, request: Request) -> Tuple[int, JsonDict]:
                 "instead.",
             )
 
-        body = parse_json_object_from_request(request)
-        assert_params_in_dict(body, ["client_secret", "sid", "token"])
-        assert_valid_client_secret(body["client_secret"])
+        body = parse_and_validate_json_object_from_request(request, self.PostBody)
 
         # Proxy submit_token request to msisdn threepid delegate
         response = await self.identity_handler.proxy_msisdn_submit_token(
             self.config.registration.account_threepid_delegate_msisdn,
-            body["client_secret"],
-            body["sid"],
-            body["token"],
+            body.client_secret,
+            body.sid,
+            body.token,
         )
         return 200, response
 

From ba7f4364ee82ccd1b0450c72dc2833b05254d680 Mon Sep 17 00:00:00 2001
From: David Robertson <davidr@element.io>
Date: Fri, 16 Sep 2022 18:27:51 +0100
Subject: [PATCH 2/3] Don't validate deprecated endpoint

---
 synapse/rest/client/account.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/synapse/rest/client/account.py b/synapse/rest/client/account.py
index 9af8dbda1509..44f622bcce15 100644
--- a/synapse/rest/client/account.py
+++ b/synapse/rest/client/account.py
@@ -584,6 +584,10 @@ async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
 
         return 200, {"threepids": threepids}
 
+    # NOTE(dmr): I have chosen not to use Pydantic to parse this request's body, because
+    # the endpoint is deprecated. (If you really want to, you could do this by reusing
+    # ThreePidBindRestServelet.PostBody with an `alias_generator` to handle
+    # `threePidCreds` versus `three_pid_creds`.
     async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
         if not self.hs.config.registration.enable_3pid_changes:
             raise SynapseError(

From ec13e314fcd1df70cc806eba5917cfd4d552304d Mon Sep 17 00:00:00 2001
From: David Robertson <davidr@element.io>
Date: Fri, 16 Sep 2022 18:42:00 +0100
Subject: [PATCH 3/3] Changelog

---
 changelog.d/13832.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/13832.feature

diff --git a/changelog.d/13832.feature b/changelog.d/13832.feature
new file mode 100644
index 000000000000..1dc1d66efeb5
--- /dev/null
+++ b/changelog.d/13832.feature
@@ -0,0 +1 @@
+Improve validation for the unspecced, internal-only `_matrix/client/unstable/add_threepid/msisdn/submit_token` endpoint.