Apply the federation_ip_range_blacklist to well-known look-ups.

These protections were already being applied due to the use of
IPBlacklistingResolver, but making it explicit should help ensure
there are fewer avenues for holes.
pull/8821/head
Patrick Cloke 2020-11-25 13:46:07 -05:00
parent 1adfd358f5
commit 82c067d2e8
3 changed files with 19 additions and 5 deletions

View File

@ -16,7 +16,7 @@ import logging
import urllib.parse import urllib.parse
from typing import List, Optional from typing import List, Optional
from netaddr import AddrFormatError, IPAddress from netaddr import AddrFormatError, IPAddress, IPSet
from zope.interface import implementer from zope.interface import implementer
from twisted.internet import defer from twisted.internet import defer
@ -31,6 +31,7 @@ from twisted.web.http_headers import Headers
from twisted.web.iweb import IAgent, IAgentEndpointFactory, IBodyProducer from twisted.web.iweb import IAgent, IAgentEndpointFactory, IBodyProducer
from synapse.crypto.context_factory import FederationPolicyForHTTPS from synapse.crypto.context_factory import FederationPolicyForHTTPS
from synapse.http.client import BlacklistingAgentWrapper
from synapse.http.federation.srv_resolver import Server, SrvResolver from synapse.http.federation.srv_resolver import Server, SrvResolver
from synapse.http.federation.well_known_resolver import WellKnownResolver from synapse.http.federation.well_known_resolver import WellKnownResolver
from synapse.logging.context import make_deferred_yieldable, run_in_background from synapse.logging.context import make_deferred_yieldable, run_in_background
@ -70,6 +71,7 @@ class MatrixFederationAgent:
reactor: IReactorCore, reactor: IReactorCore,
tls_client_options_factory: Optional[FederationPolicyForHTTPS], tls_client_options_factory: Optional[FederationPolicyForHTTPS],
user_agent: bytes, user_agent: bytes,
ip_blacklist: IPSet,
_srv_resolver: Optional[SrvResolver] = None, _srv_resolver: Optional[SrvResolver] = None,
_well_known_resolver: Optional[WellKnownResolver] = None, _well_known_resolver: Optional[WellKnownResolver] = None,
): ):
@ -90,12 +92,18 @@ class MatrixFederationAgent:
self.user_agent = user_agent self.user_agent = user_agent
if _well_known_resolver is None: if _well_known_resolver is None:
# Note that the name resolver has already been wrapped in a
# IPBlacklistingResolver by MatrixFederationHttpClient.
_well_known_resolver = WellKnownResolver( _well_known_resolver = WellKnownResolver(
self._reactor, self._reactor,
agent=Agent( agent=BlacklistingAgentWrapper(
Agent(
self._reactor,
pool=self._pool,
contextFactory=tls_client_options_factory,
),
self._reactor, self._reactor,
pool=self._pool, ip_blacklist=ip_blacklist,
contextFactory=tls_client_options_factory,
), ),
user_agent=self.user_agent, user_agent=self.user_agent,
) )

View File

@ -245,7 +245,10 @@ class MatrixFederationHttpClient:
user_agent = user_agent.encode("ascii") user_agent = user_agent.encode("ascii")
self.agent = MatrixFederationAgent( self.agent = MatrixFederationAgent(
self.reactor, tls_client_options_factory, user_agent self.reactor,
tls_client_options_factory,
user_agent,
hs.config.federation_ip_range_blacklist,
) )
# Use a BlacklistingAgentWrapper to prevent circumventing the IP # Use a BlacklistingAgentWrapper to prevent circumventing the IP

View File

@ -17,6 +17,7 @@ import logging
from mock import Mock from mock import Mock
import treq import treq
from netaddr import IPSet
from service_identity import VerificationError from service_identity import VerificationError
from zope.interface import implementer from zope.interface import implementer
@ -103,6 +104,7 @@ class MatrixFederationAgentTests(unittest.TestCase):
reactor=self.reactor, reactor=self.reactor,
tls_client_options_factory=self.tls_factory, tls_client_options_factory=self.tls_factory,
user_agent="test-agent", # Note that this is unused since _well_known_resolver is provided. user_agent="test-agent", # Note that this is unused since _well_known_resolver is provided.
ip_blacklist=IPSet(),
_srv_resolver=self.mock_resolver, _srv_resolver=self.mock_resolver,
_well_known_resolver=self.well_known_resolver, _well_known_resolver=self.well_known_resolver,
) )
@ -736,6 +738,7 @@ class MatrixFederationAgentTests(unittest.TestCase):
reactor=self.reactor, reactor=self.reactor,
tls_client_options_factory=tls_factory, tls_client_options_factory=tls_factory,
user_agent=b"test-agent", # This is unused since _well_known_resolver is passed below. user_agent=b"test-agent", # This is unused since _well_known_resolver is passed below.
ip_blacklist=IPSet(),
_srv_resolver=self.mock_resolver, _srv_resolver=self.mock_resolver,
_well_known_resolver=WellKnownResolver( _well_known_resolver=WellKnownResolver(
self.reactor, self.reactor,