MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix internal server error when sending stories to unknown recipient.

This commit is contained in:
erik-signal 2022-10-06 13:53:57 -04:00 committed by GitHub
parent 0d20b73e76
commit d6c9652a70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
service/src/main/java/org/whispersystems/textsecuregcm/controllers/MessageController.java
View File

@ -213,7 +213,19 @@ public class MessageController {
if (!isStory) { if (!isStory) {
OptionalAccess.verify(source.map(AuthenticatedAccount::getAccount), accessKey, destination); OptionalAccess.verify(source.map(AuthenticatedAccount::getAccount), accessKey, destination);
} }
assert (destination.isPresent());
boolean needsSync = !isSyncMessage && source.isPresent() && source.get().getAccount().getEnabledDeviceCount() > 1;
// We return 200 when stories are sent to a non-existent account. Since story sends bypass OptionalAccess.verify
// we leak information about whether a destination UUID exists if we return any other code (e.g. 404) from
// these requests.
if (isStory && destination.isEmpty()) {
return Response.ok(new SendMessageResponse(needsSync)).build();
}
// if destination is empty we would either throw an exception in OptionalAccess.verify when isStory is false
// or else return a 200 response when isStory is true.
assert destination.isPresent();
if (source.isPresent() && !isSyncMessage) { if (source.isPresent() && !isSyncMessage) {
checkMessageRateLimit(source.get(), destination.get(), userAgent); checkMessageRateLimit(source.get(), destination.get(), userAgent);
@ -254,7 +266,6 @@ public class MessageController {
} }
} }
boolean needsSync = !isSyncMessage && source.isPresent() && source.get().getAccount().getEnabledDeviceCount() > 1;
return Response.ok(new SendMessageResponse(needsSync)).build(); return Response.ok(new SendMessageResponse(needsSync)).build();
} catch (NoSuchUserException e) { } catch (NoSuchUserException e) {
throw new WebApplicationException(Response.status(404).build()); throw new WebApplicationException(Response.status(404).build());

17
service/src/test/java/org/whispersystems/textsecuregcm/controllers/MessageControllerTest.java
View File

@ -846,6 +846,23 @@ class MessageControllerTest {
); );
} }
@Test
void testSendStoryToUnknownAccount() throws Exception {
String accessBytes = Base64.getEncoder().encodeToString(UNIDENTIFIED_ACCESS_BYTES);
String json = jsonFixture("fixtures/current_message_single_device.json");
UUID unknownUUID = UUID.randomUUID();
IncomingMessageList list = SystemMapper.getMapper().readValue(json, IncomingMessageList.class);
Response response =
resources.getJerseyTest()
.target(String.format("/v1/messages/%s", unknownUUID))
.queryParam("story", "true")
.request()
.header(OptionalAccess.UNIDENTIFIED, accessBytes)
.put(Entity.entity(list, MediaType.APPLICATION_JSON_TYPE));
assertThat("200 masks unknown recipient", response.getStatus(), is(equalTo(200)));
}
private void checkBadMultiRecipientResponse(Response response, int expectedCode) throws Exception { private void checkBadMultiRecipientResponse(Response response, int expectedCode) throws Exception {
assertThat("Unexpected response", response.getStatus(), is(equalTo(expectedCode))); assertThat("Unexpected response", response.getStatus(), is(equalTo(expectedCode)));
verify(messageSender, never()).sendMessage(any(), any(), any(), anyBoolean()); verify(messageSender, never()).sendMessage(any(), any(), any(), anyBoolean());