Merge 938536186c into 3c188231c7

2025-03-31 03:45:13 +00:00 · 2025-03-28 15:57:10 +00:00 · 2025-03-28 15:57:10 +00:00 · 598310a89b
commit 598310a89b
parent 3c188231c7 938536186c
2 changed files with 24 additions and 8 deletions
--- a/changelog.d/17097.misc
+++ b/changelog.d/17097.misc
@ -0,0 +1 @@
+Extend validation of uploaded device keys.
--- a/synapse/handlers/e2e_keys.py
+++ b/synapse/handlers/e2e_keys.py
@ -58,7 +58,6 @@ if TYPE_CHECKING:

 logger = logging.getLogger(__name__)

-
 ONE_TIME_KEY_UPLOAD = "one_time_key_upload_lock"


@ -821,15 +820,29 @@ class E2eKeysHandler:

        # TODO: Validate the JSON to make sure it has the right keys.
        device_keys = keys.get("device_keys", None)
-        if device_keys:
-            await self.device_key_uploader(
-                user_id=user_id,
-                device_id=device_id,
-                keys={"device_keys": device_keys},
-            )
+        if device_keys and isinstance(device_keys, dict):
+            # Validate that user_id and device_id match the requesting user
+            if (
+                device_keys["user_id"] == user_id
+                and device_keys["device_id"] == device_id
+            ):
+                await self.device_key_uploader(
+                    user_id=user_id,
+                    device_id=device_id,
+                    keys={"device_keys": device_keys},
+                )
+            else:
+                log_kv(
+                    {
+                        "message": "Not updating device_keys for user, user_id or device_id mismatch",
+                        "user_id": user_id,
+                    }
+                )
+        else:
+            log_kv({"message": "Did not update device_keys", "reason": "not a dict"})

        one_time_keys = keys.get("one_time_keys", None)
-        if one_time_keys:
+        if one_time_keys and isinstance(one_time_keys, dict):
            log_kv(
                {
                    "message": "Updating one_time_keys for device.",
@ -840,6 +853,8 @@ class E2eKeysHandler:
            await self._upload_one_time_keys_for_user(
                user_id, device_id, time_now, one_time_keys
            )
+        elif one_time_keys:
+            log_kv({"message": "Did not update device_keys", "reason": "not a dict"})
        else:
            log_kv(
                {"message": "Did not update one_time_keys", "reason": "no keys given"}