e2e upload API allows you to POST keys claiming to belong to other user's UIDs (SYN-496)

[matrixbot]

An accidental bug in sytest: https://github.com/matrix-org/sytest/blob/b5c03fb7764d5d64a4272d5af88bcc46fac90ecd/tests/41end-to-end-keys/01-upload-key.pl#L21

creates a user whose name is _ANON_-6:localhost but then manages to POST a key for a different user_id. I expect this ought to have failed with 403 instead.

(Imported from https://matrix.org/jira/browse/SYN-496)

(Reported by @leonerd)

[matrixbot]

Jira watchers: @leonerd

[ara4n]

@richvdh - is this still a prob?

[richvdh]

Yeah; it's not actually POSTing keys for a different user_id - it is allowing you to quote a different user_id in the key body, which doesn't do you a lot of good, since clients should reject it.

OTOH, it would be helpful if synapse did actually reject such malformed key uploads, both to help with development, and as an additional security check.

[richvdh]

I reinstated the test: https://github.com/matrix-org/sytest/blob/11cb286fa36dcf7d3bfe348eb84691083ee05798/tests/41end-to-end-keys/01-upload-key.pl#L38

[anoadragon453]

Is this a problem? Now that sending key IDs has been deprecated and the endpoint just returns all known keys anyways?

https://matrix.org/docs/spec/server_server/unstable#get-matrix-key-v2-server-keyid

[richvdh]

@anoadragon453 I think you're confusing e2e keys and server keys

[anoadragon453]

I believe you're correct.

[kegsay]

Still an issue, at least for the device_id. I did exactly what Leo did 8 years ago (!) and wrote a test, accidentally used the wrong client instance, and was surprised that Dendrite failed but Synapse passed. Dendrite does apply this validation check.