From be3187fda72eb07631210e8bd69f5e76bee32027 Mon Sep 17 00:00:00 2001
From: Matthias Ahouansou <matthias@ahouansou.cz>
Date: Thu, 27 Feb 2025 00:38:21 +0000
Subject: [PATCH] fix: check that keys uploaded by clients are valid

clients uploading invalid keys can cause errors later when trying to add signatures
---
 src/api/client_server/keys.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/api/client_server/keys.rs b/src/api/client_server/keys.rs
index f5a923b9..75478736 100644
--- a/src/api/client_server/keys.rs
+++ b/src/api/client_server/keys.rs
@@ -36,6 +36,10 @@ pub async fn upload_keys_route(
     let sender_device = body.sender_device.as_ref().expect("user is authenticated");
 
     for (key_key, key_value) in &body.one_time_keys {
+        key_value.deserialize().map_err(|_| {
+            Error::BadRequest(ErrorKind::BadJson, "Body contained invalid one-time key")
+        })?;
+
         services()
             .users
             .add_one_time_key(sender_user, sender_device, key_key, key_value)?;
@@ -49,6 +53,10 @@ pub async fn upload_keys_route(
             .get_device_keys(sender_user, sender_device)?
             .is_none()
         {
+            device_keys.deserialize().map_err(|_| {
+                Error::BadRequest(ErrorKind::BadJson, "Body contained invalid device keys")
+            })?;
+
             services()
                 .users
                 .add_device_keys(sender_user, sender_device, device_keys)?;