From a03185248c660cee536a45ebc8d070064c83a7c0 Mon Sep 17 00:00:00 2001 From: Mikunj Date: Wed, 19 Feb 2020 13:28:26 +1100 Subject: [PATCH] Fix check for valid sender when handling sync message --- libloki/storage.js | 2 +- libtextsecure/message_receiver.js | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/libloki/storage.js b/libloki/storage.js index 3a2d084e2..a5b5c27de 100644 --- a/libloki/storage.js +++ b/libloki/storage.js @@ -131,7 +131,7 @@ if (deviceMapping.isPrimary === '0') { const { primaryDevicePubKey } = authorisations.find( - authorisation => authorisation.secondaryDevicePubKey === pubKey + authorisation => authorisation && authorisation.secondaryDevicePubKey === pubKey ) || {}; if (primaryDevicePubKey) { // do NOT call getprimaryDeviceMapping recursively diff --git a/libtextsecure/message_receiver.js b/libtextsecure/message_receiver.js index 39cc611d6..a33eca0eb 100644 --- a/libtextsecure/message_receiver.js +++ b/libtextsecure/message_receiver.js @@ -1469,18 +1469,20 @@ MessageReceiver.prototype.extend({ this.removeFromCache(envelope); }, async handleSyncMessage(envelope, syncMessage) { + // We should only accept sync messages from our devices const ourNumber = textsecure.storage.user.getNumber(); - // NOTE: Maybe we should be caching this list? - const ourDevices = await libloki.storage.getAllDevicePubKeysForPrimaryPubKey( + const ourPrimaryNumber = window.storage.get('primaryDevicePubKey'); + const ourOtherDevices = await libloki.storage.getAllDevicePubKeysForPrimaryPubKey( window.storage.get('primaryDevicePubKey') ); - const validSyncSender = - ourDevices && ourDevices.some(devicePubKey => devicePubKey === ourNumber); + const ourDevices = new Set([ourNumber, ourPrimaryNumber, ...ourOtherDevices]); + const validSyncSender = ourDevices.has(envelope.source); if (!validSyncSender) { throw new Error( "Received sync message from a device we aren't paired with" ); } + if (syncMessage.sent) { const sentMessage = syncMessage.sent; const to = sentMessage.message.group