Contact names leaked despite allow_contact_info: false

[imax9000]

I was very surprised to see display names I've set for a few contacts being used by the bridge. (I use display name as notes, since telegram doesn't have any other place for them)

First I've set up a portal using @admin account, which was logged into the bridge with a telegram bot token.

Once I was satisfied that it all works, I used a separate account (@imax) to log in as myself. Shortly after a few puppets were added to the chatroom with display names that I've set for them in my contact list.

Here's redacted log for one of them:

[2024-09-16 14:38:21,130] [[email protected].<puppet_user_id>] Updating username None -> <username>
[2024-09-16 14:38:21,130] [[email protected].<puppet_user_id>] Updating displayname of <puppet_user_id> (src: <my_id>, contact: True, allowed because no primary source set and quality 99 >= 0) from None to <contact_display_name>
[2024-09-16 14:38:21,130] [[email protected].@telegram_<puppet_user_id>:<domain>] req #921: POST http://synapse:8008/_matrix/client/v3/register?kind=user&user_id=@telegram_<puppet_user_id>:<domain> {"username": "telegram_<puppet_user_id>", "type": "m.login.application_service", "inhibit_login": true}
[2024-09-16 14:38:21,152] [[email protected].@telegram_<puppet_user_id>:<domain>] req #921 (/v3/register) completed in 21.6ms with status 200
[2024-09-16 14:38:21,155] [[email protected].@telegram_<puppet_user_id>:<domain>] req #924: GET http://synapse:8008/_matrix/client/v3/profile/%40telegram_<puppet_user_id>%3A<domain>/displayname?user_id=@telegram_<puppet_user_id>:<domain> None
[2024-09-16 14:38:21,165] [[email protected].@telegram_<puppet_user_id>:<domain>] req #924 (/v3/profile/%40telegram_<puppet_user_id>%3A<domain>/displayname) completed in 9.0ms with status 200
[2024-09-16 14:38:21,165] [[email protected].@telegram_<puppet_user_id>:<domain>] req #925: PUT http://synapse:8008/_matrix/client/v3/profile/%40telegram_<puppet_user_id>%3A<domain>/displayname?user_id=@telegram_<puppet_user_id>:<domain> {"displayname": "<quoted_contact_display_name>"}
[2024-09-16 14:38:21,203] [[email protected].@telegram_<puppet_user_id>:<domain>] req #925 (/v3/profile/%40telegram_<puppet_user_id>%3A<domain>/displayname) completed in 38.4ms with status 200
[2024-09-16 14:38:21,207] [[email protected].@telegram_<puppet_user_id>:<domain>] req #927: POST http://synapse:8008/_matrix/client/v3/join/%21RMuCbkBPiRyfVLGMnQ%3A<domain>?user_id=@telegram_<puppet_user_id>:<domain> {}
[2024-09-16 14:38:21,261] [[email protected].@telegram_<puppet_user_id>:<domain>] req #927 (/v3/join/%21RMuCbkBPiRyfVLGMnQ%3A<domain>) completed in 53.6ms with status 403
[2024-09-16 14:38:21,265] [[email protected]] req #930: POST http://synapse:8008/_matrix/client/v3/rooms/%21RMuCbkBPiRyfVLGMnQ%3A<domain>/invite?user_id=@telegrambot:<domain> {"user_id": "@telegram_<puppet_user_id>:<domain>"}
[2024-09-16 14:38:21,387] [[email protected].@telegram_<puppet_user_id>:<domain>] req #935: POST http://synapse:8008/_matrix/client/v3/join/%21RMuCbkBPiRyfVLGMnQ%3A<domain>?user_id=@telegram_<puppet_user_id>:<domain> {}
[2024-09-16 14:38:21,557] [[email protected].@telegram_<puppet_user_id>:<domain>] req #935 (/v3/join/%21RMuCbkBPiRyfVLGMnQ%3A<domain>) completed in 169.4ms with status 200

I double-checked the config file, and allow_contact_info is still set to false, so this shouldn't be happening.

I've sent logout to the bridge from both accounts and logged back in from @admin with a bot token - that did not affect the puppets in any way :( As of now I still have 140 puppets in the database with displayname_source pointing to my personal telegram account.