Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Only assert valid next_link params when provided #8417

Merged
merged 3 commits into from Sep 29, 2020
Merged

Only assert valid next_link params when provided #8417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a560ccb
Only assert valid next_link params when provided
anoadragon453 Sep 29, 2020
6e138d6
Changelog
anoadragon453 Sep 29, 2020
33b5bf0
Add a regression test
anoadragon453 Sep 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/8417.feature
View file
Open in desktop
@@ -0,0 +1 @@
Add a config option to specify a whitelist of domains that a user can be redirected to after validating their email or phone number.
15 changes: 9 additions & 6 deletions synapse/rest/client/v2_alpha/account.py
View file
Open in desktop
Expand Up @@ -103,8 +103,9 @@ async def on_POST(self, request):
Codes.THREEPID_DENIED,
)

# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
if next_link:
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)

# The email will be sent to the stored address.
# This avoids a potential account hijack by requesting a password reset to
Expand Down Expand Up @@ -379,8 +380,9 @@ async def on_POST(self, request):
Codes.THREEPID_DENIED,
)

# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
if next_link:
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)

existing_user_id = await self.store.get_user_id_by_threepid("email", email)

Expand Down Expand Up @@ -453,8 +455,9 @@ async def on_POST(self, request):
Codes.THREEPID_DENIED,
)

# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
if next_link:
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)

existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn)

Expand Down
6 changes: 6 additions & 0 deletions tests/rest/client/v2_alpha/test_account.py
View file
Open in desktop
Expand Up @@ -732,6 +732,12 @@ def test_next_link_file_uri(self):
@override_config({"next_link_domain_whitelist": ["example.com", "example.org"]})
def test_next_link_domain_whitelist(self):
"""Tests next_link parameters must fit the whitelist if provided"""

# Ensure not providing a next_link parameter still works
self._request_token(
"something@example.com", "some_secret", next_link=None, expect_code=200,
)

self._request_token(
"something@example.com",
"some_secret",
Expand Down