From 699f77671fa762e5ee5455d281cba6abc0a5e184 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Wed, 30 Jun 2021 23:12:22 +0200 Subject: [PATCH] Return proper error in case of invalid UTF-8 in json_body json_body is used in places that need authentication. In case an unknown field is set, Ruma doesn't parse the field and so doesn't give an error on invalid UTF-8. But Conduit has parsed and on error makes json_body None. Return an error to the client instead of generating an internal error. --- src/client_server/account.rs | 54 +++++++++++++++++++----------------- src/client_server/device.rs | 32 ++++++++++----------- src/client_server/keys.rs | 16 +++++------ 3 files changed, 53 insertions(+), 49 deletions(-) diff --git a/src/client_server/account.rs b/src/client_server/account.rs index f495e287..5326a798 100644 --- a/src/client_server/account.rs +++ b/src/client_server/account.rs @@ -157,15 +157,19 @@ pub async fn register_route( } // Success! } else { - uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); - db.uiaa.create( - &UserId::parse_with_server_name("", db.globals.server_name()) - .expect("we know this is valid"), - "".into(), - &uiaainfo, - &body.json_body.expect("body is json"), - )?; - return Err(Error::Uiaa(uiaainfo)); + if let Some(json) = body.json_body { + uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); + db.uiaa.create( + &UserId::parse_with_server_name("", db.globals.server_name()) + .expect("we know this is valid"), + "".into(), + &uiaainfo, + &json, + )?; + return Err(Error::Uiaa(uiaainfo)); + } else { + return Err(Error::BadRequest(ErrorKind::NotJson, "Not json.")); + } } } @@ -526,14 +530,14 @@ pub async fn change_password_route( } // Success! } else { - uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); - db.uiaa.create( - &sender_user, - &sender_device, - &uiaainfo, - &body.json_body.expect("body is json"), - )?; - return Err(Error::Uiaa(uiaainfo)); + if let Some(json) = body.json_body { + uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); + db.uiaa + .create(&sender_user, &sender_device, &uiaainfo, &json)?; + return Err(Error::Uiaa(uiaainfo)); + } else { + return Err(Error::BadRequest(ErrorKind::NotJson, "Not json.")); + } } db.users @@ -618,14 +622,14 @@ pub async fn deactivate_route( } // Success! } else { - uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); - db.uiaa.create( - &sender_user, - &sender_device, - &uiaainfo, - &body.json_body.expect("body is json"), - )?; - return Err(Error::Uiaa(uiaainfo)); + if let Some(json) = body.json_body { + uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); + db.uiaa + .create(&sender_user, &sender_device, &uiaainfo, &json)?; + return Err(Error::Uiaa(uiaainfo)); + } else { + return Err(Error::BadRequest(ErrorKind::NotJson, "Not json.")); + } } // Leave all joined rooms and reject all invitations diff --git a/src/client_server/device.rs b/src/client_server/device.rs index 2441524d..2c4b527c 100644 --- a/src/client_server/device.rs +++ b/src/client_server/device.rs @@ -116,14 +116,14 @@ pub async fn delete_device_route( } // Success! } else { - uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); - db.uiaa.create( - &sender_user, - &sender_device, - &uiaainfo, - &body.json_body.expect("body is json"), - )?; - return Err(Error::Uiaa(uiaainfo)); + if let Some(json) = body.json_body { + uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); + db.uiaa + .create(&sender_user, &sender_device, &uiaainfo, &json)?; + return Err(Error::Uiaa(uiaainfo)); + } else { + return Err(Error::BadRequest(ErrorKind::NotJson, "Not json.")); + } } db.users.remove_device(&sender_user, &body.device_id)?; @@ -170,14 +170,14 @@ pub async fn delete_devices_route( } // Success! } else { - uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); - db.uiaa.create( - &sender_user, - &sender_device, - &uiaainfo, - &body.json_body.expect("body is json"), - )?; - return Err(Error::Uiaa(uiaainfo)); + if let Some(json) = body.json_body { + uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); + db.uiaa + .create(&sender_user, &sender_device, &uiaainfo, &json)?; + return Err(Error::Uiaa(uiaainfo)); + } else { + return Err(Error::BadRequest(ErrorKind::NotJson, "Not json.")); + } } for device_id in &body.devices { diff --git a/src/client_server/keys.rs b/src/client_server/keys.rs index f80a3294..60269813 100644 --- a/src/client_server/keys.rs +++ b/src/client_server/keys.rs @@ -145,14 +145,14 @@ pub async fn upload_signing_keys_route( } // Success! } else { - uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); - db.uiaa.create( - &sender_user, - &sender_device, - &uiaainfo, - &body.json_body.expect("body is json"), - )?; - return Err(Error::Uiaa(uiaainfo)); + if let Some(json) = body.json_body { + uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); + db.uiaa + .create(&sender_user, &sender_device, &uiaainfo, &json)?; + return Err(Error::Uiaa(uiaainfo)); + } else { + return Err(Error::BadRequest(ErrorKind::NotJson, "Not json.")); + } } if let Some(master_key) = &body.master_key {