magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

forbid requesting room directories or media of forbidden servers

Browse source
This commit is contained in:
Jade Ellis 2025-01-18 15:40:43 +00:00
parent 371103fb35
commit 81a797945b
No known key found for this signature in database
GPG key ID: 8705A2A3EBF77BD2
4 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/api/client/directory.rs
View file

@ -45,6 +45,7 @@ pub(crate) async fn get_public_rooms_filtered_route(
.config .config
.forbidden_remote_room_directory_server_names .forbidden_remote_room_directory_server_names
.contains(server) .contains(server)
|| services.moderation.is_remote_server_forbidden(server)
{ {
return Err!(Request(Forbidden("Server is banned on this homeserver."))); return Err!(Request(Forbidden("Server is banned on this homeserver.")));
} }
@ -87,6 +88,7 @@ pub(crate) async fn get_public_rooms_route(
.config .config
.forbidden_remote_room_directory_server_names .forbidden_remote_room_directory_server_names
.contains(server) .contains(server)
|| services.moderation.is_remote_server_forbidden(server)
{ {
return Err!(Request(Forbidden("Server is banned on this homeserver."))); return Err!(Request(Forbidden("Server is banned on this homeserver.")));
} }

4
src/core/config/mod.rs
View file

@ -1324,6 +1324,8 @@ pub struct Config {
/// Vector list of servers that conduwuit will refuse to download remote /// Vector list of servers that conduwuit will refuse to download remote
/// media from. /// media from.
/// ///
/// This is in addition to `forbidden_remote_server_names`.
///
/// default: [] /// default: []
#[serde(default)] #[serde(default)]
pub prevent_media_downloads_from: HashSet<OwnedServerName>, pub prevent_media_downloads_from: HashSet<OwnedServerName>,
@ -1355,6 +1357,8 @@ pub struct Config {
/// room directory requests for. Useful for preventing our users from /// room directory requests for. Useful for preventing our users from
/// wandering into bad servers or spaces. /// wandering into bad servers or spaces.
/// ///
/// This is in addition to `forbidden_remote_server_names`.
///
/// default: [] /// default: []
#[serde(default = "HashSet::new")] #[serde(default = "HashSet::new")]
pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>, pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>,

4
src/service/media/mod.rs
View file

@ -22,7 +22,7 @@ use tokio::{
use self::data::{Data, Metadata}; use self::data::{Data, Metadata};
pub use self::thumbnail::Dim; pub use self::thumbnail::Dim;
use crate::{client, globals, sending, Dep}; use crate::{client, globals, moderation, sending, Dep};
#[derive(Debug)] #[derive(Debug)]
pub struct FileMeta { pub struct FileMeta {
@ -42,6 +42,7 @@ struct Services {
client: Dep<client::Service>, client: Dep<client::Service>,
globals: Dep<globals::Service>, globals: Dep<globals::Service>,
sending: Dep<sending::Service>, sending: Dep<sending::Service>,
moderation: Dep<moderation::Service>,
} }
/// generated MXC ID (`media-id`) length /// generated MXC ID (`media-id`) length
@ -64,6 +65,7 @@ impl crate::Service for Service {
client: args.depend::<client::Service>("client"), client: args.depend::<client::Service>("client"),
globals: args.depend::<globals::Service>("globals"), globals: args.depend::<globals::Service>("globals"),
sending: args.depend::<sending::Service>("sending"), sending: args.depend::<sending::Service>("sending"),
moderation: args.depend::<moderation::Service>("moderation"),
}, },
})) }))
} }

4
src/service/media/remote.rs
View file

@ -427,6 +427,10 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
.config .config
.prevent_media_downloads_from .prevent_media_downloads_from
.contains(mxc.server_name) .contains(mxc.server_name)
|| self
.services
.moderation
.is_remote_server_forbidden(mxc.server_name)
{ {
// we'll lie to the client and say the blocked server's media was not found and // we'll lie to the client and say the blocked server's media was not found and
// log. the client has no way of telling anyways so this is a security bonus. // log. the client has no way of telling anyways so this is a security bonus.