Use the federation blacklist for requests to untrusted Identity Servers (#6000)
Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses. Fixes #5935pull/6099/head
parent
1ea3ed7620
commit
e08ea43463
|
@ -0,0 +1 @@
|
||||||
|
Apply the federation blacklist to requests to identity servers.
|
|
@ -110,6 +110,9 @@ pid_file: DATADIR/homeserver.pid
|
||||||
# blacklist IP address CIDR ranges. If this option is not specified, or
|
# blacklist IP address CIDR ranges. If this option is not specified, or
|
||||||
# specified with an empty list, no ip range blacklist will be enforced.
|
# specified with an empty list, no ip range blacklist will be enforced.
|
||||||
#
|
#
|
||||||
|
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
|
||||||
|
# servers provided by user input.
|
||||||
|
#
|
||||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||||
# listed here, since they correspond to unroutable addresses.)
|
# listed here, since they correspond to unroutable addresses.)
|
||||||
#
|
#
|
||||||
|
|
|
@ -545,6 +545,9 @@ class ServerConfig(Config):
|
||||||
# blacklist IP address CIDR ranges. If this option is not specified, or
|
# blacklist IP address CIDR ranges. If this option is not specified, or
|
||||||
# specified with an empty list, no ip range blacklist will be enforced.
|
# specified with an empty list, no ip range blacklist will be enforced.
|
||||||
#
|
#
|
||||||
|
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
|
||||||
|
# servers provided by user input.
|
||||||
|
#
|
||||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||||
# listed here, since they correspond to unroutable addresses.)
|
# listed here, since they correspond to unroutable addresses.)
|
||||||
#
|
#
|
||||||
|
|
|
@ -31,6 +31,7 @@ from synapse.api.errors import (
|
||||||
SynapseError,
|
SynapseError,
|
||||||
)
|
)
|
||||||
from synapse.config.emailconfig import ThreepidBehaviour
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
|
from synapse.http.client import SimpleHttpClient
|
||||||
from synapse.util.stringutils import random_string
|
from synapse.util.stringutils import random_string
|
||||||
|
|
||||||
from ._base import BaseHandler
|
from ._base import BaseHandler
|
||||||
|
@ -42,7 +43,12 @@ class IdentityHandler(BaseHandler):
|
||||||
def __init__(self, hs):
|
def __init__(self, hs):
|
||||||
super(IdentityHandler, self).__init__(hs)
|
super(IdentityHandler, self).__init__(hs)
|
||||||
|
|
||||||
self.http_client = hs.get_simple_http_client()
|
self.http_client = SimpleHttpClient(hs)
|
||||||
|
# We create a blacklisting instance of SimpleHttpClient for contacting identity
|
||||||
|
# servers specified by clients
|
||||||
|
self.blacklisting_http_client = SimpleHttpClient(
|
||||||
|
hs, ip_blacklist=hs.config.federation_ip_range_blacklist
|
||||||
|
)
|
||||||
self.federation_http_client = hs.get_http_client()
|
self.federation_http_client = hs.get_http_client()
|
||||||
self.hs = hs
|
self.hs = hs
|
||||||
|
|
||||||
|
@ -143,7 +149,9 @@ class IdentityHandler(BaseHandler):
|
||||||
bind_url = "https://%s/_matrix/identity/api/v1/3pid/bind" % (id_server,)
|
bind_url = "https://%s/_matrix/identity/api/v1/3pid/bind" % (id_server,)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
data = yield self.http_client.post_json_get_json(
|
# Use the blacklisting http client as this call is only to identity servers
|
||||||
|
# provided by a client
|
||||||
|
data = yield self.blacklisting_http_client.post_json_get_json(
|
||||||
bind_url, bind_data, headers=headers
|
bind_url, bind_data, headers=headers
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -246,7 +254,11 @@ class IdentityHandler(BaseHandler):
|
||||||
headers = {b"Authorization": auth_headers}
|
headers = {b"Authorization": auth_headers}
|
||||||
|
|
||||||
try:
|
try:
|
||||||
yield self.http_client.post_json_get_json(url, content, headers)
|
# Use the blacklisting http client as this call is only to identity servers
|
||||||
|
# provided by a client
|
||||||
|
yield self.blacklisting_http_client.post_json_get_json(
|
||||||
|
url, content, headers
|
||||||
|
)
|
||||||
changed = True
|
changed = True
|
||||||
except HttpResponseException as e:
|
except HttpResponseException as e:
|
||||||
changed = False
|
changed = False
|
||||||
|
|
|
@ -31,6 +31,7 @@ from synapse import types
|
||||||
from synapse.api.constants import EventTypes, Membership
|
from synapse.api.constants import EventTypes, Membership
|
||||||
from synapse.api.errors import AuthError, Codes, HttpResponseException, SynapseError
|
from synapse.api.errors import AuthError, Codes, HttpResponseException, SynapseError
|
||||||
from synapse.handlers.identity import LookupAlgorithm, create_id_access_token_header
|
from synapse.handlers.identity import LookupAlgorithm, create_id_access_token_header
|
||||||
|
from synapse.http.client import SimpleHttpClient
|
||||||
from synapse.types import RoomID, UserID
|
from synapse.types import RoomID, UserID
|
||||||
from synapse.util.async_helpers import Linearizer
|
from synapse.util.async_helpers import Linearizer
|
||||||
from synapse.util.distributor import user_joined_room, user_left_room
|
from synapse.util.distributor import user_joined_room, user_left_room
|
||||||
|
@ -62,7 +63,11 @@ class RoomMemberHandler(object):
|
||||||
self.auth = hs.get_auth()
|
self.auth = hs.get_auth()
|
||||||
self.state_handler = hs.get_state_handler()
|
self.state_handler = hs.get_state_handler()
|
||||||
self.config = hs.config
|
self.config = hs.config
|
||||||
self.simple_http_client = hs.get_simple_http_client()
|
# We create a blacklisting instance of SimpleHttpClient for contacting identity
|
||||||
|
# servers specified by clients
|
||||||
|
self.simple_http_client = SimpleHttpClient(
|
||||||
|
hs, ip_blacklist=hs.config.federation_ip_range_blacklist
|
||||||
|
)
|
||||||
|
|
||||||
self.federation_handler = hs.get_handlers().federation_handler
|
self.federation_handler = hs.get_handlers().federation_handler
|
||||||
self.directory_handler = hs.get_handlers().directory_handler
|
self.directory_handler = hs.get_handlers().directory_handler
|
||||||
|
|
Loading…
Reference in New Issue