mirror of
https://github.com/girlbossceo/conduwuit.git
synced 2024-12-04 20:08:10 +00:00
optimize config denylists
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
parent
0d33959c2e
commit
231124e275
|
@ -37,14 +37,12 @@ pub(crate) async fn get_public_rooms_filtered_route(
|
|||
) -> Result<get_public_rooms_filtered::v3::Response> {
|
||||
if let Some(server) = &body.server {
|
||||
if services
|
||||
.globals
|
||||
.forbidden_remote_room_directory_server_names()
|
||||
.server
|
||||
.config
|
||||
.forbidden_remote_room_directory_server_names
|
||||
.contains(server)
|
||||
{
|
||||
return Err(Error::BadRequest(
|
||||
ErrorKind::forbidden(),
|
||||
"Server is banned on this homeserver.",
|
||||
));
|
||||
return Err!(Request(Forbidden("Server is banned on this homeserver.")));
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -77,14 +75,12 @@ pub(crate) async fn get_public_rooms_route(
|
|||
) -> Result<get_public_rooms::v3::Response> {
|
||||
if let Some(server) = &body.server {
|
||||
if services
|
||||
.globals
|
||||
.forbidden_remote_room_directory_server_names()
|
||||
.server
|
||||
.config
|
||||
.forbidden_remote_room_directory_server_names
|
||||
.contains(server)
|
||||
{
|
||||
return Err(Error::BadRequest(
|
||||
ErrorKind::forbidden(),
|
||||
"Server is banned on this homeserver.",
|
||||
));
|
||||
return Err!(Request(Forbidden("Server is banned on this homeserver.")));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ pub mod check;
|
|||
pub mod proxy;
|
||||
|
||||
use std::{
|
||||
collections::{BTreeMap, BTreeSet},
|
||||
collections::{BTreeMap, BTreeSet, HashSet},
|
||||
fmt,
|
||||
net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
|
||||
path::PathBuf,
|
||||
|
@ -983,8 +983,8 @@ pub struct Config {
|
|||
|
||||
/// Vector list of servers that conduwuit will refuse to download remote
|
||||
/// media from. No default.
|
||||
#[serde(default = "Vec::new")]
|
||||
pub prevent_media_downloads_from: Vec<OwnedServerName>,
|
||||
#[serde(default = "HashSet::new")]
|
||||
pub prevent_media_downloads_from: HashSet<OwnedServerName>,
|
||||
|
||||
/// List of forbidden server names that we will block incoming AND outgoing
|
||||
/// federation with, and block client room joins / remote user invites.
|
||||
|
@ -994,14 +994,14 @@ pub struct Config {
|
|||
/// outbound federation handler.
|
||||
///
|
||||
/// Basically "global" ACLs. No default.
|
||||
#[serde(default = "Vec::new")]
|
||||
pub forbidden_remote_server_names: Vec<OwnedServerName>,
|
||||
#[serde(default = "HashSet::new")]
|
||||
pub forbidden_remote_server_names: HashSet<OwnedServerName>,
|
||||
|
||||
/// List of forbidden server names that we will block all outgoing federated
|
||||
/// room directory requests for. Useful for preventing our users from
|
||||
/// wandering into bad servers or spaces. No default.
|
||||
#[serde(default = "Vec::new")]
|
||||
pub forbidden_remote_room_directory_server_names: Vec<OwnedServerName>,
|
||||
#[serde(default = "HashSet::new")]
|
||||
pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>,
|
||||
|
||||
/// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
|
||||
/// do not want conduwuit to send outbound requests to. Defaults to
|
||||
|
|
|
@ -252,10 +252,6 @@ impl Service {
|
|||
|
||||
pub fn allow_outgoing_read_receipts(&self) -> bool { self.config.allow_outgoing_read_receipts }
|
||||
|
||||
pub fn forbidden_remote_room_directory_server_names(&self) -> &[OwnedServerName] {
|
||||
&self.config.forbidden_remote_room_directory_server_names
|
||||
}
|
||||
|
||||
pub fn well_known_support_page(&self) -> &Option<Url> { &self.config.well_known.support_page }
|
||||
|
||||
pub fn well_known_support_role(&self) -> &Option<ContactRole> { &self.config.well_known.support_role }
|
||||
|
|
|
@ -382,8 +382,7 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
|
|||
.server
|
||||
.config
|
||||
.prevent_media_downloads_from
|
||||
.iter()
|
||||
.any(|entry| entry == mxc.server_name)
|
||||
.contains(mxc.server_name)
|
||||
{
|
||||
// we'll lie to the client and say the blocked server's media was not found and
|
||||
// log. the client has no way of telling anyways so this is a security bonus.
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
use std::{fmt::Debug, mem};
|
||||
|
||||
use conduit::{
|
||||
debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY,
|
||||
Err, Error, Result,
|
||||
debug, debug_error, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY, Err, Error,
|
||||
Result,
|
||||
};
|
||||
use http::{header::AUTHORIZATION, HeaderValue};
|
||||
use ipaddress::IPAddress;
|
||||
|
@ -36,10 +36,9 @@ impl super::Service {
|
|||
.server
|
||||
.config
|
||||
.forbidden_remote_server_names
|
||||
.contains(&dest.to_owned())
|
||||
.contains(dest)
|
||||
{
|
||||
debug_info!("Refusing to send outbound federation request to {dest}");
|
||||
return Err!(Request(Forbidden("Federation with this homeserver is not allowed.")));
|
||||
return Err!(Request(Forbidden(debug_warn!("Federation with this {dest} is not allowed."))));
|
||||
}
|
||||
|
||||
let actual = self.services.resolver.get_actual_dest(dest).await?;
|
||||
|
|
Loading…
Reference in a new issue