optimize config denylists

Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk 2024-10-22 06:21:57 +00:00
parent 0d33959c2e
commit 231124e275
5 changed files with 20 additions and 30 deletions

View file

@ -37,14 +37,12 @@ pub(crate) async fn get_public_rooms_filtered_route(
) -> Result<get_public_rooms_filtered::v3::Response> {
if let Some(server) = &body.server {
if services
.globals
.forbidden_remote_room_directory_server_names()
.server
.config
.forbidden_remote_room_directory_server_names
.contains(server)
{
return Err(Error::BadRequest(
ErrorKind::forbidden(),
"Server is banned on this homeserver.",
));
return Err!(Request(Forbidden("Server is banned on this homeserver.")));
}
}
@ -77,14 +75,12 @@ pub(crate) async fn get_public_rooms_route(
) -> Result<get_public_rooms::v3::Response> {
if let Some(server) = &body.server {
if services
.globals
.forbidden_remote_room_directory_server_names()
.server
.config
.forbidden_remote_room_directory_server_names
.contains(server)
{
return Err(Error::BadRequest(
ErrorKind::forbidden(),
"Server is banned on this homeserver.",
));
return Err!(Request(Forbidden("Server is banned on this homeserver.")));
}
}

View file

@ -2,7 +2,7 @@ pub mod check;
pub mod proxy;
use std::{
collections::{BTreeMap, BTreeSet},
collections::{BTreeMap, BTreeSet, HashSet},
fmt,
net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
path::PathBuf,
@ -983,8 +983,8 @@ pub struct Config {
/// Vector list of servers that conduwuit will refuse to download remote
/// media from. No default.
#[serde(default = "Vec::new")]
pub prevent_media_downloads_from: Vec<OwnedServerName>,
#[serde(default = "HashSet::new")]
pub prevent_media_downloads_from: HashSet<OwnedServerName>,
/// List of forbidden server names that we will block incoming AND outgoing
/// federation with, and block client room joins / remote user invites.
@ -994,14 +994,14 @@ pub struct Config {
/// outbound federation handler.
///
/// Basically "global" ACLs. No default.
#[serde(default = "Vec::new")]
pub forbidden_remote_server_names: Vec<OwnedServerName>,
#[serde(default = "HashSet::new")]
pub forbidden_remote_server_names: HashSet<OwnedServerName>,
/// List of forbidden server names that we will block all outgoing federated
/// room directory requests for. Useful for preventing our users from
/// wandering into bad servers or spaces. No default.
#[serde(default = "Vec::new")]
pub forbidden_remote_room_directory_server_names: Vec<OwnedServerName>,
#[serde(default = "HashSet::new")]
pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>,
/// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
/// do not want conduwuit to send outbound requests to. Defaults to

View file

@ -252,10 +252,6 @@ impl Service {
pub fn allow_outgoing_read_receipts(&self) -> bool { self.config.allow_outgoing_read_receipts }
pub fn forbidden_remote_room_directory_server_names(&self) -> &[OwnedServerName] {
&self.config.forbidden_remote_room_directory_server_names
}
pub fn well_known_support_page(&self) -> &Option<Url> { &self.config.well_known.support_page }
pub fn well_known_support_role(&self) -> &Option<ContactRole> { &self.config.well_known.support_role }

View file

@ -382,8 +382,7 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
.server
.config
.prevent_media_downloads_from
.iter()
.any(|entry| entry == mxc.server_name)
.contains(mxc.server_name)
{
// we'll lie to the client and say the blocked server's media was not found and
// log. the client has no way of telling anyways so this is a security bonus.

View file

@ -1,8 +1,8 @@
use std::{fmt::Debug, mem};
use conduit::{
debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY,
Err, Error, Result,
debug, debug_error, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY, Err, Error,
Result,
};
use http::{header::AUTHORIZATION, HeaderValue};
use ipaddress::IPAddress;
@ -36,10 +36,9 @@ impl super::Service {
.server
.config
.forbidden_remote_server_names
.contains(&dest.to_owned())
.contains(dest)
{
debug_info!("Refusing to send outbound federation request to {dest}");
return Err!(Request(Forbidden("Federation with this homeserver is not allowed.")));
return Err!(Request(Forbidden(debug_warn!("Federation with this {dest} is not allowed."))));
}
let actual = self.services.resolver.get_actual_dest(dest).await?;