"global" ACLs config option, block room directory requests to forbidden servers

Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-04-15 22:02:08 -04:00 · 2024-04-15 22:02:08 -04:00 · 97c63604fd
commit 97c63604fd
parent 47c43769d7
6 changed files with 284 additions and 2 deletions
--- a/src/api/client_server/directory.rs
+++ b/src/api/client_server/directory.rs
@ -34,6 +34,19 @@ use crate::{services, Error, Result, Ruma};
 pub async fn get_public_rooms_filtered_route(
 	body: Ruma<get_public_rooms_filtered::v3::Request>,
 ) -> Result<get_public_rooms_filtered::v3::Response> {
+	if let Some(server) = &body.server {
+		if services()
+			.globals
+			.forbidden_remote_room_directory_server_names()
+			.contains(server)
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let response = get_public_rooms_filtered_helper(
 		body.server.as_deref(),
 		body.limit,
@ -58,6 +71,19 @@ pub async fn get_public_rooms_filtered_route(
 pub async fn get_public_rooms_route(
 	body: Ruma<get_public_rooms::v3::Request>,
 ) -> Result<get_public_rooms::v3::Response> {
+	if let Some(server) = &body.server {
+		if services()
+			.globals
+			.forbidden_remote_room_directory_server_names()
+			.contains(server)
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let response = get_public_rooms_filtered_helper(
 		body.server.as_deref(),
 		body.limit,
--- a/src/api/client_server/membership.rs
+++ b/src/api/client_server/membership.rs
@ -55,6 +55,26 @@ pub async fn join_room_by_id_route(body: Ruma<join_room_by_id::v3::Request>) ->
 		));
 	}

+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+			&& !services().users.is_admin(sender_user)?
+		{
+			warn!(
+				"User {sender_user} tried joining room ID {} which has a server name that is globally forbidden. \
+				 Rejecting.",
+				body.room_id
+			);
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"This remote server is banned on this homeserver.",
+			));
+		}
+	}
+
 	// There is no body.server_name for /roomId/join
 	let mut servers = services()
 		.rooms
@ -112,6 +132,25 @@ pub async fn join_room_by_id_or_alias_route(
 				));
 			}

+			if let Some(server) = room_id.server_name() {
+				if services()
+					.globals
+					.config
+					.forbidden_remote_server_names
+					.contains(&server.to_owned())
+					&& !services().users.is_admin(sender_user)?
+				{
+					warn!(
+						"User {sender_user} tried joining room ID {room_id} which has a server name that is globally \
+						 forbidden. Rejecting.",
+					);
+					return Err(Error::BadRequest(
+						ErrorKind::forbidden(),
+						"This remote server is banned on this homeserver.",
+					));
+				}
+			}
+
 			let mut servers = body.server_name.clone();

 			servers.extend(
@ -136,13 +175,13 @@ pub async fn join_room_by_id_or_alias_route(
 			);

 			if let Some(server) = room_id.server_name() {
-				servers.push(server.into());
+				servers.push(server.to_owned());
 			}

 			(servers, room_id)
 		},
 		Err(room_alias) => {
-			let response = get_alias_helper(room_alias).await?;
+			let response = get_alias_helper(room_alias.clone()).await?;

 			if services().rooms.metadata.is_banned(&response.room_id)? && !services().users.is_admin(sender_user)? {
 				return Err(Error::BadRequest(
@ -151,6 +190,44 @@ pub async fn join_room_by_id_or_alias_route(
 				));
 			}

+			if services()
+				.globals
+				.config
+				.forbidden_remote_server_names
+				.contains(&room_alias.server_name().to_owned())
+				&& !services().users.is_admin(sender_user)?
+			{
+				warn!(
+					"User {sender_user} tried joining room alias {} with room ID {} which has a server name that is \
+					 globally forbidden. Rejecting.",
+					&room_alias, &response.room_id
+				);
+				return Err(Error::BadRequest(
+					ErrorKind::forbidden(),
+					"This remote server is banned on this homeserver.",
+				));
+			}
+
+			if let Some(server) = response.room_id.server_name() {
+				if services()
+					.globals
+					.config
+					.forbidden_remote_server_names
+					.contains(&server.to_owned())
+					&& !services().users.is_admin(sender_user)?
+				{
+					warn!(
+						"User {sender_user} tried joining room alias {} with room ID {} which has a server name that \
+						 is globally forbidden. Rejecting.",
+						&room_alias, &response.room_id
+					);
+					return Err(Error::BadRequest(
+						ErrorKind::forbidden(),
+						"This remote server is banned on this homeserver.",
+					));
+				}
+			}
+
 			(response.servers, response.room_id)
 		},
 	};
@ -210,6 +287,20 @@ pub async fn invite_user_route(body: Ruma<invite_user::v3::Request>) -> Result<i
 		));
 	}

+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	if let invite_user::v3::InvitationRecipient::UserId {
 		user_id,
 	} = &body.recipient
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@ -908,6 +908,37 @@ pub async fn create_join_event_template_route(
 		.event_handler
 		.acl_check(sender_servername, &body.room_id)?;

+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(sender_servername)
+	{
+		warn!(
+			"Server {sender_servername} for remote user {} tried joining room ID {} which has a server name that is \
+			 globally forbidden. Rejecting.",
+			&body.user_id, &body.room_id,
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let mutex_state = Arc::clone(
 		services()
 			.globals
@ -1201,6 +1232,42 @@ pub async fn create_join_event_v1_route(
 		.as_ref()
 		.expect("server is authenticated");

+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(sender_servername)
+	{
+		warn!(
+			"Server {sender_servername} tried joining room ID {} who has a server name that is globally forbidden. \
+			 Rejecting.",
+			&body.room_id,
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			warn!(
+				"Server {sender_servername} tried joining room ID {} which has a server name that is globally \
+				 forbidden. Rejecting.",
+				&body.room_id,
+			);
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let room_state = create_join_event(sender_servername, &body.room_id, &body.pdu).await?;

 	Ok(create_join_event::v1::Response {
@ -1219,6 +1286,37 @@ pub async fn create_join_event_v2_route(
 		.as_ref()
 		.expect("server is authenticated");

+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(sender_servername)
+	{
+		warn!(
+			"Server {sender_servername} tried joining room ID {} who has a server name that is globally forbidden. \
+			 Rejecting.",
+			&body.room_id,
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let create_join_event::v1::RoomState {
 		auth_chain,
 		state,
@ -1448,6 +1546,40 @@ pub async fn create_invite_route(body: Ruma<create_invite::v2::Request>) -> Resu
 		));
 	}

+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			warn!(
+				"Received federated/remote invite from banned server {sender_servername} for room ID {}. Rejecting.",
+				body.room_id
+			);
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(&sender_servername.to_owned())
+	{
+		warn!(
+			"Received federated/remote invite from banned server {sender_servername} for room ID {}. Rejecting.",
+			body.room_id
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
 	if let Some(via) = &body.via {
 		if via.is_empty() {
 			return Err(Error::BadRequest(ErrorKind::InvalidParam, "via field must not be empty."));
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -269,6 +269,10 @@ pub struct Config {

 	#[serde(default = "Vec::new")]
 	pub prevent_media_downloads_from: Vec<OwnedServerName>,
+	#[serde(default = "Vec::new")]
+	pub forbidden_remote_server_names: Vec<OwnedServerName>,
+	#[serde(default = "Vec::new")]
+	pub forbidden_remote_room_directory_server_names: Vec<OwnedServerName>,

 	#[serde(default = "default_ip_range_denylist")]
 	pub ip_range_denylist: Vec<String>,
@ -689,6 +693,20 @@ impl fmt::Display for Config {
 				}
 				&lst.join(", ")
 			}),
+			("Forbidden Remote Server Names (\"Global\" ACLs)", {
+				let mut lst = vec![];
+				for domain in &self.forbidden_remote_server_names {
+					lst.push(domain.host());
+				}
+				&lst.join(", ")
+			}),
+			("Forbidden Remote Room Directory Server Names", {
+				let mut lst = vec![];
+				for domain in &self.forbidden_remote_room_directory_server_names {
+					lst.push(domain.host());
+				}
+				&lst.join(", ")
+			}),
 			("Outbound Request IP Range Denylist", {
 				let mut lst = vec![];
 				for item in self.ip_range_denylist.iter().cloned().enumerate() {
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -323,6 +323,12 @@ impl Service<'_> {

 	pub fn prevent_media_downloads_from(&self) -> &[OwnedServerName] { &self.config.prevent_media_downloads_from }

+	pub fn forbidden_remote_server_names(&self) -> &[OwnedServerName] { &self.config.forbidden_remote_server_names }
+
+	pub fn forbidden_remote_room_directory_server_names(&self) -> &[OwnedServerName] {
+		&self.config.forbidden_remote_room_directory_server_names
+	}
+
 	pub fn ip_range_denylist(&self) -> &[String] { &self.config.ip_range_denylist }

 	pub fn well_known_support_page(&self) -> &Option<Url> { &self.config.well_known.support_page }