fix: check that keys uploaded by clients are valid

clients uploading invalid keys can cause errors later when trying to add signatures
2025-04-22 14:10:16 +03:00 · 2025-02-27 00:38:21 +00:00 · 2025-02-27 00:38:21 +00:00 · be3187fda7
commit be3187fda7
parent a3386f405e
1 changed files with 8 additions and 0 deletions
--- a/src/api/client_server/keys.rs
+++ b/src/api/client_server/keys.rs
@ -36,6 +36,10 @@ pub async fn upload_keys_route(
    let sender_device = body.sender_device.as_ref().expect("user is authenticated");

    for (key_key, key_value) in &body.one_time_keys {
+        key_value.deserialize().map_err(|_| {
+            Error::BadRequest(ErrorKind::BadJson, "Body contained invalid one-time key")
+        })?;
+
        services()
            .users
            .add_one_time_key(sender_user, sender_device, key_key, key_value)?;
@ -49,6 +53,10 @@ pub async fn upload_keys_route(
            .get_device_keys(sender_user, sender_device)?
            .is_none()
        {
+            device_keys.deserialize().map_err(|_| {
+                Error::BadRequest(ErrorKind::BadJson, "Body contained invalid device keys")
+            })?;
+
            services()
                .users
                .add_device_keys(sender_user, sender_device, device_keys)?;