magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

support blocking servers from fetching remote media from

Browse source 
akin to synapse's `prevent_media_downloads_from`

Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-01-17 23:18:10 -05:00 committed by June
parent 1a06c8c9d3
commit 6ffc54e241
4 changed files with 39 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
DIFFERENCES.md
View file

@ -52,4 +52,5 @@
- Only follow 6 redirects total in our default reqwest ClientBuilder - Only follow 6 redirects total in our default reqwest ClientBuilder
- Generate passwords with 25 characters instead of 15 - Generate passwords with 25 characters instead of 15
- Add missing `reason` field to user ban events (`/ban`) - Add missing `reason` field to user ban events (`/ban`)
- For all [`/report`](https://spec.matrix.org/v1.9/client-server-api/#post_matrixclientv3roomsroomidreporteventid) requests: check if the reported event ID belongs to the reported room ID, raise report reasoning character limit to 750, fix broken formatting, make a small delayed random response per spec suggestion on privacy, and check if the sender user is in the reported room. - For all [`/report`](https://spec.matrix.org/v1.9/client-server-api/#post_matrixclientv3roomsroomidreporteventid) requests: check if the reported event ID belongs to the reported room ID, raise report reasoning character limit to 750, fix broken formatting, make a small delayed random response per spec suggestion on privacy, and check if the sender user is in the reported room.
- Support blocking servers from downloading remote media from

23
src/api/client_server/media.rs
View file

@ -8,6 +8,7 @@ use ruma::api::client::{
get_media_config, get_media_config,
}, },
}; };
use tracing::info;
/// generated MXC ID (`media-id`) length /// generated MXC ID (`media-id`) length
const MXC_LENGTH: usize = 32; const MXC_LENGTH: usize = 32;
@ -65,6 +66,17 @@ pub async fn get_remote_content(
server_name: &ruma::ServerName, server_name: &ruma::ServerName,
media_id: String, media_id: String,
) -> Result<get_content::v3::Response, Error> { ) -> Result<get_content::v3::Response, Error> {
// we'll lie to the client and say the blocked server's media was not found and log.
// the client has no way of telling anyways so this is a security bonus.
if services()
.globals
.prevent_media_downloads_from()
.contains(&server_name.to_owned())
{
info!("Received request for remote media `{}` but server is in our media server blocklist. Returning 404.", mxc);
return Err(Error::BadRequest(ErrorKind::NotFound, "Media not found."));
}
let content_response = services() let content_response = services()
.sending .sending
.send_federation_request( .send_federation_request(
@ -189,6 +201,17 @@ pub async fn get_content_thumbnail_route(
cross_origin_resource_policy: Some("cross-origin".to_owned()), cross_origin_resource_policy: Some("cross-origin".to_owned()),
}) })
} else if &*body.server_name != services().globals.server_name() && body.allow_remote { } else if &*body.server_name != services().globals.server_name() && body.allow_remote {
// we'll lie to the client and say the blocked server's media was not found and log.
// the client has no way of telling anyways so this is a security bonus.
if services()
.globals
.prevent_media_downloads_from()
.contains(&body.server_name.to_owned())
{
info!("Received request for remote media `{}` but server is in our media server blocklist. Returning 404.", mxc);
return Err(Error::BadRequest(ErrorKind::NotFound, "Media not found."));
}
let get_thumbnail_response = services() let get_thumbnail_response = services()
.sending .sending
.send_federation_request( .send_federation_request(

10
src/config/mod.rs
View file

@ -128,6 +128,9 @@ pub struct Config {
#[serde(default)] #[serde(default)]
pub allow_guest_registration: bool, pub allow_guest_registration: bool,
#[serde(default = "Vec::new")]
pub prevent_media_downloads_from: Vec<OwnedServerName>,
#[serde(flatten)] #[serde(flatten)]
pub catchall: BTreeMap<String, IgnoredAny>, pub catchall: BTreeMap<String, IgnoredAny>,
} }
@ -305,6 +308,13 @@ impl fmt::Display for Config {
"RocksDB database optimize for spinning disks", "RocksDB database optimize for spinning disks",
&self.rocksdb_optimize_for_spinning_disks.to_string(), &self.rocksdb_optimize_for_spinning_disks.to_string(),
), ),
("Prevent Media Downloads From", {
let mut lst = vec![];
for domain in &self.prevent_media_downloads_from {
lst.push(domain.host());
}
&lst.join(", ")
}),
]; ];
let mut msg: String = "Active config values:\n\n".to_owned(); let mut msg: String = "Active config values:\n\n".to_owned();

4
src/service/globals/mod.rs
View file

@ -423,6 +423,10 @@ impl Service<'_> {
self.config.rocksdb_optimize_for_spinning_disks self.config.rocksdb_optimize_for_spinning_disks
} }
pub fn prevent_media_downloads_from(&self) -> &[OwnedServerName] {
&self.config.prevent_media_downloads_from
}
pub fn supported_room_versions(&self) -> Vec<RoomVersionId> { pub fn supported_room_versions(&self) -> Vec<RoomVersionId> {
let mut room_versions: Vec<RoomVersionId> = vec![]; let mut room_versions: Vec<RoomVersionId> = vec![];
room_versions.extend(self.stable_room_versions.clone()); room_versions.extend(self.stable_room_versions.clone());