change forbidden_server_names and etc to allow regex patterns for wildcards

Signed-off-by: June Clementine Strawberry <june@3.dog>
2025-04-06 15:25:11 -04:00 · 2025-04-06 15:25:11 -04:00 · d5ad973464
commit d5ad973464
parent ff276a42a3
13 changed files with 79 additions and 71 deletions
--- a/src/api/client/directory.rs
+++ b/src/api/client/directory.rs
@ -52,10 +52,13 @@ pub(crate) async fn get_public_rooms_filtered_route(
 ) -> Result<get_public_rooms_filtered::v3::Response> {
 	if let Some(server) = &body.server {
 		if services
-			.server
 			.config
 			.forbidden_remote_room_directory_server_names
-			.contains(server)
+			.is_match(server.host())
+			|| services
+				.config
+				.forbidden_remote_server_names
+				.is_match(server.host())
 		{
 			return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 		}
@ -90,10 +93,13 @@ pub(crate) async fn get_public_rooms_route(
 ) -> Result<get_public_rooms::v3::Response> {
 	if let Some(server) = &body.server {
 		if services
-			.server
 			.config
 			.forbidden_remote_room_directory_server_names
-			.contains(server)
+			.is_match(server.host())
+			|| services
+				.config
+				.forbidden_remote_server_names
+				.is_match(server.host())
 		{
 			return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 		}
--- a/src/api/client/membership.rs
+++ b/src/api/client/membership.rs
@ -79,10 +79,9 @@ async fn banned_room_check(
 	if let Some(room_id) = room_id {
 		if services.rooms.metadata.is_banned(room_id).await
 			|| services
-				.server
 				.config
 				.forbidden_remote_server_names
-				.contains(&room_id.server_name().unwrap().to_owned())
+				.is_match(room_id.server_name().unwrap().host())
 		{
 			warn!(
 				"User {user_id} who is not an admin attempted to send an invite for or \
@ -120,10 +119,9 @@ async fn banned_room_check(
 		}
 	} else if let Some(server_name) = server_name {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server_name.to_owned())
+			.is_match(server_name.host())
 		{
 			warn!(
 				"User {user_id} who is not an admin tried joining a room which has the server \
--- a/src/api/client/message.rs
+++ b/src/api/client/message.rs
@ -261,10 +261,9 @@ pub(crate) async fn is_ignored_pdu(
 	let ignored_type = IGNORED_MESSAGE_TYPES.binary_search(&pdu.kind).is_ok();

 	let ignored_server = services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(pdu.sender().server_name());
+		.is_match(pdu.sender().server_name().host());

 	if ignored_type
 		&& (ignored_server || services.users.user_is_ignored(&pdu.sender, user_id).await)
--- a/src/api/router/auth.rs
+++ b/src/api/router/auth.rs
@ -317,10 +317,9 @@ fn auth_server_checks(services: &Services, x_matrix: &XMatrix) -> Result<()> {

 	let origin = &x_matrix.origin;
 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(origin)
+		.is_match(origin.host())
 	{
 		return Err!(Request(Forbidden(debug_warn!(
 			"Federation requests from {origin} denied."
--- a/src/api/server/invite.rs
+++ b/src/api/server/invite.rs
@ -38,20 +38,18 @@ pub(crate) async fn create_invite_route(

 	if let Some(server) = body.room_id.server_name() {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server.to_owned())
+			.is_match(server.host())
 		{
 			return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 		}
 	}

 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(body.origin())
+		.is_match(body.origin().host())
 	{
 		warn!(
 			"Received federated/remote invite from banned server {} for room ID {}. Rejecting.",
--- a/src/api/server/make_join.rs
+++ b/src/api/server/make_join.rs
@ -42,10 +42,9 @@ pub(crate) async fn create_join_event_template_route(
 		.await?;

 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(body.origin())
+		.is_match(body.origin().host())
 	{
 		warn!(
 			"Server {} for remote user {} tried joining room ID {} which has a server name that \
@ -59,10 +58,9 @@ pub(crate) async fn create_join_event_template_route(

 	if let Some(server) = body.room_id.server_name() {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server.to_owned())
+			.is_match(server.host())
 		{
 			return Err!(Request(Forbidden(warn!(
 				"Room ID server name {server} is banned on this homeserver."
--- a/src/api/server/make_knock.rs
+++ b/src/api/server/make_knock.rs
@ -33,10 +33,9 @@ pub(crate) async fn create_knock_event_template_route(
 		.await?;

 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(body.origin())
+		.is_match(body.origin().host())
 	{
 		warn!(
 			"Server {} for remote user {} tried knocking room ID {} which has a server name \
@ -50,10 +49,9 @@ pub(crate) async fn create_knock_event_template_route(

 	if let Some(server) = body.room_id.server_name() {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server.to_owned())
+			.is_match(server.host())
 		{
 			return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 		}
--- a/src/api/server/send_join.rs
+++ b/src/api/server/send_join.rs
@ -268,10 +268,9 @@ pub(crate) async fn create_join_event_v1_route(
 	body: Ruma<create_join_event::v1::Request>,
 ) -> Result<create_join_event::v1::Response> {
 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(body.origin())
+		.is_match(body.origin().host())
 	{
 		warn!(
 			"Server {} tried joining room ID {} through us who has a server name that is \
@ -284,10 +283,9 @@ pub(crate) async fn create_join_event_v1_route(

 	if let Some(server) = body.room_id.server_name() {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server.to_owned())
+			.is_match(server.host())
 		{
 			warn!(
 				"Server {} tried joining room ID {} through us which has a server name that is \
@ -316,20 +314,18 @@ pub(crate) async fn create_join_event_v2_route(
 	body: Ruma<create_join_event::v2::Request>,
 ) -> Result<create_join_event::v2::Response> {
 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(body.origin())
+		.is_match(body.origin().host())
 	{
 		return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 	}

 	if let Some(server) = body.room_id.server_name() {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server.to_owned())
+			.is_match(server.host())
 		{
 			warn!(
 				"Server {} tried joining room ID {} through us which has a server name that is \
--- a/src/api/server/send_knock.rs
+++ b/src/api/server/send_knock.rs
@ -26,10 +26,9 @@ pub(crate) async fn create_knock_event_v1_route(
 	body: Ruma<send_knock::v1::Request>,
 ) -> Result<send_knock::v1::Response> {
 	if services
-		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(body.origin())
+		.is_match(body.origin().host())
 	{
 		warn!(
 			"Server {} tried knocking room ID {} who has a server name that is globally \
@ -42,10 +41,9 @@ pub(crate) async fn create_knock_event_v1_route(

 	if let Some(server) = body.room_id.server_name() {
 		if services
-			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&server.to_owned())
+			.is_match(server.host())
 		{
 			warn!(
 				"Server {} tried knocking room ID {} which has a server name that is globally \
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@ -3,7 +3,7 @@ pub mod manager;
 pub mod proxy;

 use std::{
-	collections::{BTreeMap, BTreeSet, HashSet},
+	collections::{BTreeMap, BTreeSet},
 	net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
 	path::{Path, PathBuf},
 };
@ -715,7 +715,7 @@ pub struct Config {
 	/// Currently, conduwuit doesn't support inbound batched key requests, so
 	/// this list should only contain other Synapse servers.
 	///
-	/// example: ["matrix.org", "envs.net", "tchncs.de"]
+	/// example: ["matrix.org", "tchncs.de"]
 	///
 	/// default: ["matrix.org"]
 	#[serde(default = "default_trusted_servers")]
@ -1361,15 +1361,18 @@ pub struct Config {
 	#[serde(default)]
 	pub prune_missing_media: bool,

-	/// Vector list of servers that conduwuit will refuse to download remote
-	/// media from.
+	/// Vector list of regex patterns of server names that conduwuit will refuse
+	/// to download remote media from.
+	///
+	/// example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
 	///
 	/// default: []
-	#[serde(default)]
-	pub prevent_media_downloads_from: HashSet<OwnedServerName>,
+	#[serde(default, with = "serde_regex")]
+	pub prevent_media_downloads_from: RegexSet,

-	/// List of forbidden server names that we will block incoming AND outgoing
-	/// federation with, and block client room joins / remote user invites.
+	/// List of forbidden server names via regex patterns that we will block
+	/// incoming AND outgoing federation with, and block client room joins /
+	/// remote user invites.
 	///
 	/// This check is applied on the room ID, room alias, sender server name,
 	/// sender user's server name, inbound federation X-Matrix origin, and
@ -1377,17 +1380,21 @@ pub struct Config {
 	///
 	/// Basically "global" ACLs.
 	///
-	/// default: []
-	#[serde(default)]
-	pub forbidden_remote_server_names: HashSet<OwnedServerName>,
-
-	/// List of forbidden server names that we will block all outgoing federated
-	/// room directory requests for. Useful for preventing our users from
-	/// wandering into bad servers or spaces.
+	/// example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
 	///
 	/// default: []
-	#[serde(default = "HashSet::new")]
-	pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>,
+	#[serde(default, with = "serde_regex")]
+	pub forbidden_remote_server_names: RegexSet,
+
+	/// List of forbidden server names via regex patterns that we will block all
+	/// outgoing federated room directory requests for. Useful for preventing
+	/// our users from wandering into bad servers or spaces.
+	///
+	/// example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
+	///
+	/// default: []
+	#[serde(default, with = "serde_regex")]
+	pub forbidden_remote_room_directory_server_names: RegexSet,

 	/// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
 	/// do not want conduwuit to send outbound requests to. Defaults to
@ -1508,11 +1515,10 @@ pub struct Config {
 	/// used, and startup as warnings if any room aliases in your database have
 	/// a forbidden room alias/ID.
 	///
-	/// example: ["19dollarfortnitecards", "b[4a]droom"]
+	/// example: ["19dollarfortnitecards", "b[4a]droom", "badphrase"]
 	///
 	/// default: []
-	#[serde(default)]
-	#[serde(with = "serde_regex")]
+	#[serde(default, with = "serde_regex")]
 	pub forbidden_alias_names: RegexSet,

 	/// List of forbidden username patterns/strings.
@ -1524,11 +1530,10 @@ pub struct Config {
 	/// startup as warnings if any local users in your database have a forbidden
 	/// username.
 	///
-	/// example: ["administrator", "b[a4]dusernam[3e]"]
+	/// example: ["administrator", "b[a4]dusernam[3e]", "badphrase"]
 	///
 	/// default: []
-	#[serde(default)]
-	#[serde(with = "serde_regex")]
+	#[serde(default, with = "serde_regex")]
 	pub forbidden_usernames: RegexSet,

 	/// Retry failed and incomplete messages to remote servers immediately upon
--- a/src/service/federation/execute.rs
+++ b/src/service/federation/execute.rs
@ -69,7 +69,7 @@ where
 		.server
 		.config
 		.forbidden_remote_server_names
-		.contains(dest)
+		.is_match(dest.host())
 	{
 		return Err!(Request(Forbidden(debug_warn!("Federation with {dest} is not allowed."))));
 	}
--- a/src/service/media/remote.rs
+++ b/src/service/media/remote.rs
@ -426,7 +426,13 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
 		.server
 		.config
 		.prevent_media_downloads_from
-		.contains(mxc.server_name)
+		.is_match(mxc.server_name.host())
+		|| self
+			.services
+			.server
+			.config
+			.forbidden_remote_server_names
+			.is_match(mxc.server_name.host())
 	{
 		// we'll lie to the client and say the blocked server's media was not found and
 		// log. the client has no way of telling anyways so this is a security bonus.