Add configs to make profile data more private (#9203)

Add off-by-default configuration settings to: - disable putting an invitee's profile info in invite events - disable profile lookup via federation Signed-off-by: Andrew Ferrazzutti <fair@miscworks.net>
2021-02-19 04:50:41 -05:00 · 2021-02-19 04:50:41 -05:00 · 9bc74743d5
parent 84a7191410
commit 9bc74743d5
9 changed files with 66 additions and 7 deletions
--- a/changelog.d/9203.feature
+++ b/changelog.d/9203.feature
@ -0,0 +1 @@
+Add some configuration settings to make users' profile data more private.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -101,6 +101,14 @@ pid_file: DATADIR/homeserver.pid
 #
 #limit_profile_requests_to_users_who_share_rooms: true

+# Uncomment to prevent a user's profile data from being retrieved and
+# displayed in a room until they have joined it. By default, a user's
+# profile data is included in an invite event, regardless of the values
+# of the above two settings, and whether or not the users share a server.
+# Defaults to 'true'.
+#
+#include_profile_data_on_invite: false
+
 # If set to 'true', removes the need for authentication to access the server's
 # public rooms directory through the client API, meaning that anyone can
 # query the room directory. Defaults to 'false'.
@ -699,6 +707,12 @@ acme:
 #  - matrix.org
 #  - example.com

+# Uncomment to disable profile lookup over federation. By default, the
+# Federation API allows other homeservers to obtain profile data of any user
+# on this homeserver. Defaults to 'true'.
+#
+#allow_profile_lookup_over_federation: false
+

 ## Caching ##

--- a/synapse/config/federation.py
+++ b/synapse/config/federation.py
@ -41,6 +41,10 @@ class FederationConfig(Config):
        )
        self.federation_metrics_domains = set(federation_metrics_domains)

+        self.allow_profile_lookup_over_federation = config.get(
+            "allow_profile_lookup_over_federation", True
+        )
+
    def generate_config_section(self, config_dir_path, server_name, **kwargs):
        return """\
        ## Federation ##
@ -66,6 +70,12 @@ class FederationConfig(Config):
        #federation_metrics_domains:
        #  - matrix.org
        #  - example.com
+
+        # Uncomment to disable profile lookup over federation. By default, the
+        # Federation API allows other homeservers to obtain profile data of any user
+        # on this homeserver. Defaults to 'true'.
+        #
+        #allow_profile_lookup_over_federation: false
        """


--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@ -263,6 +263,12 @@ class ServerConfig(Config):
            False,
        )

+        # Whether to retrieve and display profile data for a user when they
+        # are invited to a room
+        self.include_profile_data_on_invite = config.get(
+            "include_profile_data_on_invite", True
+        )
+
        if "restrict_public_rooms_to_local_users" in config and (
            "allow_public_rooms_without_auth" in config
            or "allow_public_rooms_over_federation" in config
@ -848,6 +854,14 @@ class ServerConfig(Config):
        #
        #limit_profile_requests_to_users_who_share_rooms: true

+        # Uncomment to prevent a user's profile data from being retrieved and
+        # displayed in a room until they have joined it. By default, a user's
+        # profile data is included in an invite event, regardless of the values
+        # of the above two settings, and whether or not the users share a server.
+        # Defaults to 'true'.
+        #
+        #include_profile_data_on_invite: false
+
        # If set to 'true', removes the need for authentication to access the server's
        # public rooms directory through the client API, meaning that anyone can
        # query the room directory. Defaults to 'false'.
--- a/synapse/federation/transport/server.py
+++ b/synapse/federation/transport/server.py
@ -484,10 +484,9 @@ class FederationQueryServlet(BaseFederationServlet):

    # This is when we receive a server-server Query
    async def on_GET(self, origin, content, query, query_type):
-        return await self.handler.on_query_request(
-            query_type,
-            {k.decode("utf8"): v[0].decode("utf-8") for k, v in query.items()},
-        )
+        args = {k.decode("utf8"): v[0].decode("utf-8") for k, v in query.items()}
+        args["origin"] = origin
+        return await self.handler.on_query_request(query_type, args)


 class FederationMakeJoinServlet(BaseFederationServlet):
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@ -387,6 +387,12 @@ class EventCreationHandler:

        self.room_invite_state_types = self.hs.config.room_invite_state_types

+        self.membership_types_to_include_profile_data_in = (
+            {Membership.JOIN, Membership.INVITE}
+            if self.hs.config.include_profile_data_on_invite
+            else {Membership.JOIN}
+        )
+
        self.send_event = ReplicationSendEventRestServlet.make_client(hs)

        # This is only used to get at ratelimit function, and maybe_kick_guest_users
@ -500,7 +506,7 @@ class EventCreationHandler:
            membership = builder.content.get("membership", None)
            target = UserID.from_string(builder.state_key)

-            if membership in {Membership.JOIN, Membership.INVITE}:
+            if membership in self.membership_types_to_include_profile_data_in:
                # If event doesn't include a display name, add one.
                profile = self.profile_handler
                content = builder.content
--- a/synapse/handlers/profile.py
+++ b/synapse/handlers/profile.py
@ -310,6 +310,16 @@ class ProfileHandler(BaseHandler):
        await self._update_join_states(requester, target_user)

    async def on_profile_query(self, args: JsonDict) -> JsonDict:
+        """Handles federation profile query requests.
+        """
+
+        if not self.hs.config.allow_profile_lookup_over_federation:
+            raise SynapseError(
+                403,
+                "Profile lookup over federation is disabled on this homeserver",
+                Codes.FORBIDDEN,
+            )
+
        user = UserID.from_string(args["user_id"])
        if not self.hs.is_mine(user):
            raise SynapseError(400, "User is not hosted on this homeserver")
--- a/synapse/replication/http/federation.py
+++ b/synapse/replication/http/federation.py
@ -213,8 +213,9 @@ class ReplicationGetQueryRestServlet(ReplicationEndpoint):
            content = parse_json_object_from_request(request)

            args = content["args"]
+            args["origin"] = content["origin"]

-        logger.info("Got %r query", query_type)
+        logger.info("Got %r query from %s", query_type, args["origin"])

        result = await self.registry.on_query(query_type, args)

--- a/tests/handlers/test_profile.py
+++ b/tests/handlers/test_profile.py
@ -161,7 +161,11 @@ class ProfileTestCase(unittest.HomeserverTestCase):

        response = self.get_success(
            self.query_handlers["profile"](
-                {"user_id": "@caroline:test", "field": "displayname"}
+                {
+                    "user_id": "@caroline:test",
+                    "field": "displayname",
+                    "origin": "servername.tld",
+                }
            )
        )
				`@ -0,0 +1 @@`
				`Add some configuration settings to make users' profile data more private.`