"global" ACLs config option, block room directory requests to forbidden servers

Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-04-15 22:02:08 -04:00 · 2024-04-15 22:02:08 -04:00 · 97c63604fd
commit 97c63604fd
parent 47c43769d7
6 changed files with 284 additions and 2 deletions
--- a/src/api/client_server/directory.rs
+++ b/src/api/client_server/directory.rs
@ -34,6 +34,19 @@ use crate::{services, Error, Result, Ruma};
 pub async fn get_public_rooms_filtered_route(
 	body: Ruma<get_public_rooms_filtered::v3::Request>,
 ) -> Result<get_public_rooms_filtered::v3::Response> {
+	if let Some(server) = &body.server {
+		if services()
+			.globals
+			.forbidden_remote_room_directory_server_names()
+			.contains(server)
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let response = get_public_rooms_filtered_helper(
 		body.server.as_deref(),
 		body.limit,
@ -58,6 +71,19 @@ pub async fn get_public_rooms_filtered_route(
 pub async fn get_public_rooms_route(
 	body: Ruma<get_public_rooms::v3::Request>,
 ) -> Result<get_public_rooms::v3::Response> {
+	if let Some(server) = &body.server {
+		if services()
+			.globals
+			.forbidden_remote_room_directory_server_names()
+			.contains(server)
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let response = get_public_rooms_filtered_helper(
 		body.server.as_deref(),
 		body.limit,
--- a/src/api/client_server/membership.rs
+++ b/src/api/client_server/membership.rs
@ -55,6 +55,26 @@ pub async fn join_room_by_id_route(body: Ruma<join_room_by_id::v3::Request>) ->
 		));
 	}

+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+			&& !services().users.is_admin(sender_user)?
+		{
+			warn!(
+				"User {sender_user} tried joining room ID {} which has a server name that is globally forbidden. \
+				 Rejecting.",
+				body.room_id
+			);
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"This remote server is banned on this homeserver.",
+			));
+		}
+	}
+
 	// There is no body.server_name for /roomId/join
 	let mut servers = services()
 		.rooms
@ -112,6 +132,25 @@ pub async fn join_room_by_id_or_alias_route(
 				));
 			}

+			if let Some(server) = room_id.server_name() {
+				if services()
+					.globals
+					.config
+					.forbidden_remote_server_names
+					.contains(&server.to_owned())
+					&& !services().users.is_admin(sender_user)?
+				{
+					warn!(
+						"User {sender_user} tried joining room ID {room_id} which has a server name that is globally \
+						 forbidden. Rejecting.",
+					);
+					return Err(Error::BadRequest(
+						ErrorKind::forbidden(),
+						"This remote server is banned on this homeserver.",
+					));
+				}
+			}
+
 			let mut servers = body.server_name.clone();

 			servers.extend(
@ -136,13 +175,13 @@ pub async fn join_room_by_id_or_alias_route(
 			);

 			if let Some(server) = room_id.server_name() {
-				servers.push(server.into());
+				servers.push(server.to_owned());
 			}

 			(servers, room_id)
 		},
 		Err(room_alias) => {
-			let response = get_alias_helper(room_alias).await?;
+			let response = get_alias_helper(room_alias.clone()).await?;

 			if services().rooms.metadata.is_banned(&response.room_id)? && !services().users.is_admin(sender_user)? {
 				return Err(Error::BadRequest(
@ -151,6 +190,44 @@ pub async fn join_room_by_id_or_alias_route(
 				));
 			}

+			if services()
+				.globals
+				.config
+				.forbidden_remote_server_names
+				.contains(&room_alias.server_name().to_owned())
+				&& !services().users.is_admin(sender_user)?
+			{
+				warn!(
+					"User {sender_user} tried joining room alias {} with room ID {} which has a server name that is \
+					 globally forbidden. Rejecting.",
+					&room_alias, &response.room_id
+				);
+				return Err(Error::BadRequest(
+					ErrorKind::forbidden(),
+					"This remote server is banned on this homeserver.",
+				));
+			}
+
+			if let Some(server) = response.room_id.server_name() {
+				if services()
+					.globals
+					.config
+					.forbidden_remote_server_names
+					.contains(&server.to_owned())
+					&& !services().users.is_admin(sender_user)?
+				{
+					warn!(
+						"User {sender_user} tried joining room alias {} with room ID {} which has a server name that \
+						 is globally forbidden. Rejecting.",
+						&room_alias, &response.room_id
+					);
+					return Err(Error::BadRequest(
+						ErrorKind::forbidden(),
+						"This remote server is banned on this homeserver.",
+					));
+				}
+			}
+
 			(response.servers, response.room_id)
 		},
 	};
@ -210,6 +287,20 @@ pub async fn invite_user_route(body: Ruma<invite_user::v3::Request>) -> Result<i
 		));
 	}

+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	if let invite_user::v3::InvitationRecipient::UserId {
 		user_id,
 	} = &body.recipient