optimize config denylists
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
strawberry
parent
d35376a90c
commit
ca57dc7928
5 changed files with 20 additions and 30 deletions
|
|
@ -37,14 +37,12 @@ pub(crate) async fn get_public_rooms_filtered_route(
|
||||||
) -> Result<get_public_rooms_filtered::v3::Response> {
|
) -> Result<get_public_rooms_filtered::v3::Response> {
|
||||||
if let Some(server) = &body.server {
|
if let Some(server) = &body.server {
|
||||||
if services
|
if services
|
||||||
.globals
|
.server
|
||||||
.forbidden_remote_room_directory_server_names()
|
.config
|
||||||
|
.forbidden_remote_room_directory_server_names
|
||||||
.contains(server)
|
.contains(server)
|
||||||
{
|
{
|
||||||
return Err(Error::BadRequest(
|
return Err!(Request(Forbidden("Server is banned on this homeserver.")));
|
||||||
ErrorKind::forbidden(),
|
|
||||||
"Server is banned on this homeserver.",
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -77,14 +75,12 @@ pub(crate) async fn get_public_rooms_route(
|
||||||
) -> Result<get_public_rooms::v3::Response> {
|
) -> Result<get_public_rooms::v3::Response> {
|
||||||
if let Some(server) = &body.server {
|
if let Some(server) = &body.server {
|
||||||
if services
|
if services
|
||||||
.globals
|
.server
|
||||||
.forbidden_remote_room_directory_server_names()
|
.config
|
||||||
|
.forbidden_remote_room_directory_server_names
|
||||||
.contains(server)
|
.contains(server)
|
||||||
{
|
{
|
||||||
return Err(Error::BadRequest(
|
return Err!(Request(Forbidden("Server is banned on this homeserver.")));
|
||||||
ErrorKind::forbidden(),
|
|
||||||
"Server is banned on this homeserver.",
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ pub mod check;
|
||||||
pub mod proxy;
|
pub mod proxy;
|
||||||
|
|
||||||
use std::{
|
use std::{
|
||||||
collections::{BTreeMap, BTreeSet},
|
collections::{BTreeMap, BTreeSet, HashSet},
|
||||||
fmt,
|
fmt,
|
||||||
net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
|
net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
|
||||||
path::PathBuf,
|
path::PathBuf,
|
||||||
|
|
@ -983,8 +983,8 @@ pub struct Config {
|
||||||
|
|
||||||
/// Vector list of servers that conduwuit will refuse to download remote
|
/// Vector list of servers that conduwuit will refuse to download remote
|
||||||
/// media from. No default.
|
/// media from. No default.
|
||||||
#[serde(default = "Vec::new")]
|
#[serde(default = "HashSet::new")]
|
||||||
pub prevent_media_downloads_from: Vec<OwnedServerName>,
|
pub prevent_media_downloads_from: HashSet<OwnedServerName>,
|
||||||
|
|
||||||
/// List of forbidden server names that we will block incoming AND outgoing
|
/// List of forbidden server names that we will block incoming AND outgoing
|
||||||
/// federation with, and block client room joins / remote user invites.
|
/// federation with, and block client room joins / remote user invites.
|
||||||
|
|
@ -994,14 +994,14 @@ pub struct Config {
|
||||||
/// outbound federation handler.
|
/// outbound federation handler.
|
||||||
///
|
///
|
||||||
/// Basically "global" ACLs. No default.
|
/// Basically "global" ACLs. No default.
|
||||||
#[serde(default = "Vec::new")]
|
#[serde(default = "HashSet::new")]
|
||||||
pub forbidden_remote_server_names: Vec<OwnedServerName>,
|
pub forbidden_remote_server_names: HashSet<OwnedServerName>,
|
||||||
|
|
||||||
/// List of forbidden server names that we will block all outgoing federated
|
/// List of forbidden server names that we will block all outgoing federated
|
||||||
/// room directory requests for. Useful for preventing our users from
|
/// room directory requests for. Useful for preventing our users from
|
||||||
/// wandering into bad servers or spaces. No default.
|
/// wandering into bad servers or spaces. No default.
|
||||||
#[serde(default = "Vec::new")]
|
#[serde(default = "HashSet::new")]
|
||||||
pub forbidden_remote_room_directory_server_names: Vec<OwnedServerName>,
|
pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>,
|
||||||
|
|
||||||
/// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
|
/// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
|
||||||
/// do not want conduwuit to send outbound requests to. Defaults to
|
/// do not want conduwuit to send outbound requests to. Defaults to
|
||||||
|
|
|
||||||
|
|
@ -252,10 +252,6 @@ impl Service {
|
||||||
|
|
||||||
pub fn allow_outgoing_read_receipts(&self) -> bool { self.config.allow_outgoing_read_receipts }
|
pub fn allow_outgoing_read_receipts(&self) -> bool { self.config.allow_outgoing_read_receipts }
|
||||||
|
|
||||||
pub fn forbidden_remote_room_directory_server_names(&self) -> &[OwnedServerName] {
|
|
||||||
&self.config.forbidden_remote_room_directory_server_names
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn well_known_support_page(&self) -> &Option<Url> { &self.config.well_known.support_page }
|
pub fn well_known_support_page(&self) -> &Option<Url> { &self.config.well_known.support_page }
|
||||||
|
|
||||||
pub fn well_known_support_role(&self) -> &Option<ContactRole> { &self.config.well_known.support_role }
|
pub fn well_known_support_role(&self) -> &Option<ContactRole> { &self.config.well_known.support_role }
|
||||||
|
|
|
||||||
|
|
@ -382,8 +382,7 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
|
||||||
.server
|
.server
|
||||||
.config
|
.config
|
||||||
.prevent_media_downloads_from
|
.prevent_media_downloads_from
|
||||||
.iter()
|
.contains(mxc.server_name)
|
||||||
.any(|entry| entry == mxc.server_name)
|
|
||||||
{
|
{
|
||||||
// we'll lie to the client and say the blocked server's media was not found and
|
// we'll lie to the client and say the blocked server's media was not found and
|
||||||
// log. the client has no way of telling anyways so this is a security bonus.
|
// log. the client has no way of telling anyways so this is a security bonus.
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
use std::{fmt::Debug, mem};
|
use std::{fmt::Debug, mem};
|
||||||
|
|
||||||
use conduit::{
|
use conduit::{
|
||||||
debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY,
|
debug, debug_error, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY, Err, Error,
|
||||||
Err, Error, Result,
|
Result,
|
||||||
};
|
};
|
||||||
use http::{header::AUTHORIZATION, HeaderValue};
|
use http::{header::AUTHORIZATION, HeaderValue};
|
||||||
use ipaddress::IPAddress;
|
use ipaddress::IPAddress;
|
||||||
|
|
@ -36,10 +36,9 @@ impl super::Service {
|
||||||
.server
|
.server
|
||||||
.config
|
.config
|
||||||
.forbidden_remote_server_names
|
.forbidden_remote_server_names
|
||||||
.contains(&dest.to_owned())
|
.contains(dest)
|
||||||
{
|
{
|
||||||
debug_info!("Refusing to send outbound federation request to {dest}");
|
return Err!(Request(Forbidden(debug_warn!("Federation with this {dest} is not allowed."))));
|
||||||
return Err!(Request(Forbidden("Federation with this homeserver is not allowed.")));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let actual = self.services.resolver.get_actual_dest(dest).await?;
|
let actual = self.services.resolver.get_actual_dest(dest).await?;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue