feat: URL preview support

from upstream MR https://gitlab.com/famedly/conduit/-/merge_requests/347 with the following changes (so far): - remove hardcoded list of allowed hosts (strongly disagree with this, even if it is desired, it should not be harcoded) - add more allow config options for granularity via URL contains, host contains, and domain is (explicit match) for security - warn if a user is allowing all URLs to be previewed for security reasons - replace an expect with proper error handling - bump webpage to 2.0 - improved code style a tad Co-authored-by: rooot <hey@rooot.gay> Signed-off-by: rooot <hey@rooot.gay> Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-02-09 23:16:06 -05:00 · 2024-02-09 23:16:06 -05:00 · c0dd5b1cc2
commit c0dd5b1cc2
parent 6f26be1c6e
13 changed files with 821 additions and 41 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -148,8 +148,11 @@ async fn main() {
        error!(?error, "The database couldn't be loaded or created");
        return;
    };
+
    let config = &services().globals.config;

+    /* ad-hoc config validation/checks */
+
    // check if user specified valid IP CIDR ranges on startup
    for cidr in services().globals.ip_range_denylist() {
        let _ = ipaddress::IPAddress::parse(cidr)
@ -179,6 +182,27 @@ async fn main() {
        warn!("! Outgoing federated presence is not spec compliant due to relying on PDUs and EDUs combined.\nOutgoing presence will not be very reliable due to this and any issues with federated outgoing presence are very likely attributed to this issue.\nIncoming presence and local presence are unaffected.");
    }

+    if config
+        .url_preview_domain_contains_allowlist
+        .contains(&"*".to_owned())
+    {
+        warn!("All URLs are allowed for URL previews via setting \"url_preview_domain_contains_allowlist\" to \"*\". This opens up significant attack surface to your server. You are expected to be aware of the risks by doing this.");
+    }
+    if config
+        .url_preview_domain_explicit_allowlist
+        .contains(&"*".to_owned())
+    {
+        warn!("All URLs are allowed for URL previews via setting \"url_preview_domain_explicit_allowlist\" to \"*\". This opens up significant attack surface to your server. You are expected to be aware of the risks by doing this.");
+    }
+    if config
+        .url_preview_url_contains_allowlist
+        .contains(&"*".to_owned())
+    {
+        warn!("All URLs are allowed for URL previews via setting \"url_preview_url_contains_allowlist\" to \"*\". This opens up significant attack surface to your server. You are expected to be aware of the risks by doing this.");
+    }
+
+    /* end ad-hoc config validation/checks */
+
    info!("Starting server");
    if let Err(e) = run_server().await {
        error!("Critical error running server: {}", e);
@ -464,6 +488,7 @@ fn routes() -> Router {
        .ruma_route(client_server::turn_server_route)
        .ruma_route(client_server::send_event_to_device_route)
        .ruma_route(client_server::get_media_config_route)
+        .ruma_route(client_server::get_media_preview_route)
        .ruma_route(client_server::create_content_route)
        .ruma_route(client_server::get_content_route)
        .ruma_route(client_server::get_content_as_filename_route)