magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

precompute cidr range denylist; move validator.

Browse source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk 2024-04-21 22:32:45 -07:00 committed by June
parent 93c3e6dec8
commit 423fc6dad0
2 changed files with 23 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/service/globals/mod.rs
View file

@ -14,6 +14,7 @@ use argon2::Argon2;
use base64::{engine::general_purpose, Engine as _}; use base64::{engine::general_purpose, Engine as _};
pub use data::Data; pub use data::Data;
use hickory_resolver::TokioAsyncResolver; use hickory_resolver::TokioAsyncResolver;
use ipaddress::IPAddress;
use regex::RegexSet; use regex::RegexSet;
use ruma::{ use ruma::{
api::{ api::{
@ -25,7 +26,7 @@ use ruma::{
RoomVersionId, ServerName, UserId, RoomVersionId, ServerName, UserId,
}; };
use tokio::sync::{broadcast, watch::Receiver, Mutex, RwLock, Semaphore}; use tokio::sync::{broadcast, watch::Receiver, Mutex, RwLock, Semaphore};
use tracing::{error, info}; use tracing::{error, info, trace};
use tracing_subscriber::{EnvFilter, Registry}; use tracing_subscriber::{EnvFilter, Registry};
use url::Url; use url::Url;
@ -46,6 +47,7 @@ pub struct Service<'a> {
pub tracing_reload_handle: tracing_subscriber::reload::Handle<EnvFilter, Registry>, pub tracing_reload_handle: tracing_subscriber::reload::Handle<EnvFilter, Registry>,
pub config: Config, pub config: Config,
pub cidr_range_denylist: Vec<IPAddress>,
keypair: Arc<ruma::signatures::Ed25519KeyPair>, keypair: Arc<ruma::signatures::Ed25519KeyPair>,
jwt_decoding_key: Option<jsonwebtoken::DecodingKey>, jwt_decoding_key: Option<jsonwebtoken::DecodingKey>,
pub resolver: Arc<resolver::Resolver>, pub resolver: Arc<resolver::Resolver>,
@ -138,10 +140,18 @@ impl Service<'_> {
argon2::Params::new(19456, 2, 1, None).expect("valid parameters"), argon2::Params::new(19456, 2, 1, None).expect("valid parameters"),
); );
let mut cidr_range_denylist = Vec::new();
for cidr in config.ip_range_denylist.clone() {
let cidr = IPAddress::parse(cidr).expect("valid cidr range");
trace!("Denied CIDR range: {:?}", cidr);
cidr_range_denylist.push(cidr);
}
let mut s = Self { let mut s = Self {
tracing_reload_handle, tracing_reload_handle,
db, db,
config: config.clone(), config: config.clone(),
cidr_range_denylist,
keypair: Arc::new(keypair), keypair: Arc::new(keypair),
resolver: resolver.clone(), resolver: resolver.clone(),
client: client::Client::new(config, &resolver), client: client::Client::new(config, &resolver),
@ -424,6 +434,16 @@ impl Service<'_> {
pub fn unix_socket_path(&self) -> &Option<PathBuf> { &self.config.unix_socket_path } pub fn unix_socket_path(&self) -> &Option<PathBuf> { &self.config.unix_socket_path }
pub fn valid_cidr_range(&self, ip: &IPAddress) -> bool {
for cidr in &self.cidr_range_denylist {
if cidr.includes(ip) {
return false;
}
}
true
}
pub fn shutdown(&self) { pub fn shutdown(&self) {
self.shutdown.store(true, atomic::Ordering::Relaxed); self.shutdown.store(true, atomic::Ordering::Relaxed);
// On shutdown // On shutdown

13
src/service/sending/send.rs
View file

@ -536,17 +536,8 @@ fn validate_destination_ip_literal(destination: &ServerName) -> Result<()> {
} }
fn validate_ip(ip: &IPAddress) -> Result<()> { fn validate_ip(ip: &IPAddress) -> Result<()> {
let cidr_ranges_s = services().globals.ip_range_denylist().to_vec(); if !services().globals.valid_cidr_range(ip) {
let mut cidr_ranges: Vec<IPAddress> = Vec::new(); return Err(Error::BadServerResponse("Not allowed to send requests to this IP"));
for cidr in cidr_ranges_s {
cidr_ranges.push(IPAddress::parse(cidr).expect("we checked this at startup"));
}
trace!("List of pushed CIDR ranges: {:?}", cidr_ranges);
for cidr in cidr_ranges {
if cidr.includes(ip) {
return Err(Error::BadServerResponse("Not allowed to send requests to this IP"));
}
} }
Ok(()) Ok(())