Change display names/avatar URLs to None if they contain null bytes before storing in DB

changelog.d/11230.bugfix

@@ -0,0 +1,2 @@
+Fix a long-standing bug wherein display names or avatar URLs containing null bytes cause an internal server error
+when stored in the DB.

synapse/storage/databases/main/events.py

@@ -1640,8 +1640,8 @@ def _store_event_reference_hashes_txn(self, txn, events):
     def _store_room_members_txn(self, txn, events, backfilled):
         """Store a room member in the database."""
 
-        def str_or_none(val: Any) -> Optional[str]:
-            return val if isinstance(val, str) else None
+        def non_null_str_or_none(val: Any) -> Optional[str]:
+            return val if isinstance(val, str) and "\u0000" not in val else None
 
         self.db_pool.simple_insert_many_txn(
             txn,
@@ -1653,8 +1653,10 @@ def str_or_none(val: Any) -> Optional[str]:
                     "sender": event.user_id,
                     "room_id": event.room_id,
                     "membership": event.membership,
-                    "display_name": str_or_none(event.content.get("displayname")),
-                    "avatar_url": str_or_none(event.content.get("avatar_url")),
+                    "display_name": non_null_str_or_none(
+                        event.content.get("displayname")
+                    ),
+                    "avatar_url": non_null_str_or_none(event.content.get("avatar_url")),
                 }
                 for event in events
             ],

tests/storage/test_roommember.py

@@ -161,6 +161,60 @@ def test_get_joined_users_from_context(self):
         )
         self.assertEqual(users.keys(), {self.u_alice, self.u_bob})
 
+    def test_store_room_members_txn(self):
+        def _store_room_members_txn(txn, events, backfilled):
+            """Store a room member in the database."""
+
+            def non_null_str_or_none(val) -> str:
+                return val if isinstance(val, str) and "\u0000" not in val else None
+
+            self.store.db_pool.simple_insert_many_txn(
+                txn,
+                table="room_memberships",
+                values=[
+                    {
+                        "event_id": event.event_id,
+                        "user_id": "random_test_value",
+                        "sender": event.user_id,
+                        "room_id": event.room_id,
+                        "membership": event.membership,
+                        "display_name": non_null_str_or_none(
+                            event.content.get("displayname")
+                        ),
+                        "avatar_url": non_null_str_or_none(
+                            event.content.get("avatar_url")
+                        ),
+                    }
+                    for event in events
+                ],
+            )
+
+        room = self.helper.create_room_as(self.u_alice, tok=self.t_alice)
+        bob_event = self.get_success(
+            event_injection.inject_member_event(
+                self.hs, room, self.u_bob, Membership.JOIN
+            )
+        )
+
+        # Create an event with a null-containing string to pass to _store_room_members_txn
+        event, context = self.get_success(
+            event_injection.create_event(
+                self.hs,
+                room_id=room,
+                sender=self.u_alice,
+                prev_event_ids=[bob_event.event_id],
+                type="m.test.1",
+                content={"displayname": "bad\u0000null", "membership": Membership.JOIN},
+            )
+        )
+
+        # pass event to _store_room_members_txn and verify that it doesn't blow up
+        self.get_success(
+            self.store.db_pool.runInteraction(
+                "store room members", _store_room_members_txn, [event], False
+            )
+        )
+
 
 class CurrentStateMembershipUpdateTestCase(unittest.HomeserverTestCase):
     def prepare(self, reactor, clock, homeserver):