forked from MirrorHub/synapse
Convert blacklisted IPv4 addresses to compatible IPv6 addresses. (#9240)
Also add a few more IP ranges to the default blacklist.
This commit is contained in:
parent
ff55300b91
commit
4ca054a4ea
5 changed files with 161 additions and 29 deletions
1
changelog.d/9240.misc
Normal file
1
changelog.d/9240.misc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Deny access to additional IP addresses by default.
|
|
@ -169,6 +169,7 @@ pid_file: DATADIR/homeserver.pid
|
||||||
# - '100.64.0.0/10'
|
# - '100.64.0.0/10'
|
||||||
# - '192.0.0.0/24'
|
# - '192.0.0.0/24'
|
||||||
# - '169.254.0.0/16'
|
# - '169.254.0.0/16'
|
||||||
|
# - '192.88.99.0/24'
|
||||||
# - '198.18.0.0/15'
|
# - '198.18.0.0/15'
|
||||||
# - '192.0.2.0/24'
|
# - '192.0.2.0/24'
|
||||||
# - '198.51.100.0/24'
|
# - '198.51.100.0/24'
|
||||||
|
@ -177,6 +178,9 @@ pid_file: DATADIR/homeserver.pid
|
||||||
# - '::1/128'
|
# - '::1/128'
|
||||||
# - 'fe80::/10'
|
# - 'fe80::/10'
|
||||||
# - 'fc00::/7'
|
# - 'fc00::/7'
|
||||||
|
# - '2001:db8::/32'
|
||||||
|
# - 'ff00::/8'
|
||||||
|
# - 'fec0::/10'
|
||||||
|
|
||||||
# List of IP address CIDR ranges that should be allowed for federation,
|
# List of IP address CIDR ranges that should be allowed for federation,
|
||||||
# identity servers, push servers, and for checking key validity for
|
# identity servers, push servers, and for checking key validity for
|
||||||
|
@ -994,6 +998,7 @@ media_store_path: "DATADIR/media_store"
|
||||||
# - '100.64.0.0/10'
|
# - '100.64.0.0/10'
|
||||||
# - '192.0.0.0/24'
|
# - '192.0.0.0/24'
|
||||||
# - '169.254.0.0/16'
|
# - '169.254.0.0/16'
|
||||||
|
# - '192.88.99.0/24'
|
||||||
# - '198.18.0.0/15'
|
# - '198.18.0.0/15'
|
||||||
# - '192.0.2.0/24'
|
# - '192.0.2.0/24'
|
||||||
# - '198.51.100.0/24'
|
# - '198.51.100.0/24'
|
||||||
|
@ -1002,6 +1007,9 @@ media_store_path: "DATADIR/media_store"
|
||||||
# - '::1/128'
|
# - '::1/128'
|
||||||
# - 'fe80::/10'
|
# - 'fe80::/10'
|
||||||
# - 'fc00::/7'
|
# - 'fc00::/7'
|
||||||
|
# - '2001:db8::/32'
|
||||||
|
# - 'ff00::/8'
|
||||||
|
# - 'fec0::/10'
|
||||||
|
|
||||||
# List of IP address CIDR ranges that the URL preview spider is allowed
|
# List of IP address CIDR ranges that the URL preview spider is allowed
|
||||||
# to access even if they are specified in url_preview_ip_range_blacklist.
|
# to access even if they are specified in url_preview_ip_range_blacklist.
|
||||||
|
|
|
@ -17,9 +17,7 @@ import os
|
||||||
from collections import namedtuple
|
from collections import namedtuple
|
||||||
from typing import Dict, List
|
from typing import Dict, List
|
||||||
|
|
||||||
from netaddr import IPSet
|
from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
|
||||||
|
|
||||||
from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST
|
|
||||||
from synapse.python_dependencies import DependencyException, check_requirements
|
from synapse.python_dependencies import DependencyException, check_requirements
|
||||||
from synapse.util.module_loader import load_module
|
from synapse.util.module_loader import load_module
|
||||||
|
|
||||||
|
@ -187,16 +185,17 @@ class ContentRepositoryConfig(Config):
|
||||||
"to work"
|
"to work"
|
||||||
)
|
)
|
||||||
|
|
||||||
self.url_preview_ip_range_blacklist = IPSet(
|
|
||||||
config["url_preview_ip_range_blacklist"]
|
|
||||||
)
|
|
||||||
|
|
||||||
# we always blacklist '0.0.0.0' and '::', which are supposed to be
|
# we always blacklist '0.0.0.0' and '::', which are supposed to be
|
||||||
# unroutable addresses.
|
# unroutable addresses.
|
||||||
self.url_preview_ip_range_blacklist.update(["0.0.0.0", "::"])
|
self.url_preview_ip_range_blacklist = generate_ip_set(
|
||||||
|
config["url_preview_ip_range_blacklist"],
|
||||||
|
["0.0.0.0", "::"],
|
||||||
|
config_path=("url_preview_ip_range_blacklist",),
|
||||||
|
)
|
||||||
|
|
||||||
self.url_preview_ip_range_whitelist = IPSet(
|
self.url_preview_ip_range_whitelist = generate_ip_set(
|
||||||
config.get("url_preview_ip_range_whitelist", ())
|
config.get("url_preview_ip_range_whitelist", ()),
|
||||||
|
config_path=("url_preview_ip_range_whitelist",),
|
||||||
)
|
)
|
||||||
|
|
||||||
self.url_preview_url_blacklist = config.get("url_preview_url_blacklist", ())
|
self.url_preview_url_blacklist = config.get("url_preview_url_blacklist", ())
|
||||||
|
|
|
@ -15,6 +15,7 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
import itertools
|
||||||
import logging
|
import logging
|
||||||
import os.path
|
import os.path
|
||||||
import re
|
import re
|
||||||
|
@ -23,7 +24,7 @@ from typing import Any, Dict, Iterable, List, Optional, Set
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
import yaml
|
import yaml
|
||||||
from netaddr import IPSet
|
from netaddr import AddrFormatError, IPNetwork, IPSet
|
||||||
|
|
||||||
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
||||||
from synapse.util.stringutils import parse_and_validate_server_name
|
from synapse.util.stringutils import parse_and_validate_server_name
|
||||||
|
@ -40,6 +41,66 @@ logger = logging.Logger(__name__)
|
||||||
# in the list.
|
# in the list.
|
||||||
DEFAULT_BIND_ADDRESSES = ["::", "0.0.0.0"]
|
DEFAULT_BIND_ADDRESSES = ["::", "0.0.0.0"]
|
||||||
|
|
||||||
|
|
||||||
|
def _6to4(network: IPNetwork) -> IPNetwork:
|
||||||
|
"""Convert an IPv4 network into a 6to4 IPv6 network per RFC 3056."""
|
||||||
|
|
||||||
|
# 6to4 networks consist of:
|
||||||
|
# * 2002 as the first 16 bits
|
||||||
|
# * The first IPv4 address in the network hex-encoded as the next 32 bits
|
||||||
|
# * The new prefix length needs to include the bits from the 2002 prefix.
|
||||||
|
hex_network = hex(network.first)[2:]
|
||||||
|
hex_network = ("0" * (8 - len(hex_network))) + hex_network
|
||||||
|
return IPNetwork(
|
||||||
|
"2002:%s:%s::/%d" % (hex_network[:4], hex_network[4:], 16 + network.prefixlen,)
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def generate_ip_set(
|
||||||
|
ip_addresses: Optional[Iterable[str]],
|
||||||
|
extra_addresses: Optional[Iterable[str]] = None,
|
||||||
|
config_path: Optional[Iterable[str]] = None,
|
||||||
|
) -> IPSet:
|
||||||
|
"""
|
||||||
|
Generate an IPSet from a list of IP addresses or CIDRs.
|
||||||
|
|
||||||
|
Additionally, for each IPv4 network in the list of IP addresses, also
|
||||||
|
includes the corresponding IPv6 networks.
|
||||||
|
|
||||||
|
This includes:
|
||||||
|
|
||||||
|
* IPv4-Compatible IPv6 Address (see RFC 4291, section 2.5.5.1)
|
||||||
|
* IPv4-Mapped IPv6 Address (see RFC 4291, section 2.5.5.2)
|
||||||
|
* 6to4 Address (see RFC 3056, section 2)
|
||||||
|
|
||||||
|
Args:
|
||||||
|
ip_addresses: An iterable of IP addresses or CIDRs.
|
||||||
|
extra_addresses: An iterable of IP addresses or CIDRs.
|
||||||
|
config_path: The path in the configuration for error messages.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
A new IP set.
|
||||||
|
"""
|
||||||
|
result = IPSet()
|
||||||
|
for ip in itertools.chain(ip_addresses or (), extra_addresses or ()):
|
||||||
|
try:
|
||||||
|
network = IPNetwork(ip)
|
||||||
|
except AddrFormatError as e:
|
||||||
|
raise ConfigError(
|
||||||
|
"Invalid IP range provided: %s." % (ip,), config_path
|
||||||
|
) from e
|
||||||
|
result.add(network)
|
||||||
|
|
||||||
|
# It is possible that these already exist in the set, but that's OK.
|
||||||
|
if ":" not in str(network):
|
||||||
|
result.add(IPNetwork(network).ipv6(ipv4_compatible=True))
|
||||||
|
result.add(IPNetwork(network).ipv6(ipv4_compatible=False))
|
||||||
|
result.add(_6to4(network))
|
||||||
|
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
# IP ranges that are considered private / unroutable / don't make sense.
|
||||||
DEFAULT_IP_RANGE_BLACKLIST = [
|
DEFAULT_IP_RANGE_BLACKLIST = [
|
||||||
# Localhost
|
# Localhost
|
||||||
"127.0.0.0/8",
|
"127.0.0.0/8",
|
||||||
|
@ -53,6 +114,8 @@ DEFAULT_IP_RANGE_BLACKLIST = [
|
||||||
"192.0.0.0/24",
|
"192.0.0.0/24",
|
||||||
# Link-local networks.
|
# Link-local networks.
|
||||||
"169.254.0.0/16",
|
"169.254.0.0/16",
|
||||||
|
# Formerly used for 6to4 relay.
|
||||||
|
"192.88.99.0/24",
|
||||||
# Testing networks.
|
# Testing networks.
|
||||||
"198.18.0.0/15",
|
"198.18.0.0/15",
|
||||||
"192.0.2.0/24",
|
"192.0.2.0/24",
|
||||||
|
@ -66,6 +129,12 @@ DEFAULT_IP_RANGE_BLACKLIST = [
|
||||||
"fe80::/10",
|
"fe80::/10",
|
||||||
# Unique local addresses.
|
# Unique local addresses.
|
||||||
"fc00::/7",
|
"fc00::/7",
|
||||||
|
# Testing networks.
|
||||||
|
"2001:db8::/32",
|
||||||
|
# Multicast.
|
||||||
|
"ff00::/8",
|
||||||
|
# Site-local addresses
|
||||||
|
"fec0::/10",
|
||||||
]
|
]
|
||||||
|
|
||||||
DEFAULT_ROOM_VERSION = "6"
|
DEFAULT_ROOM_VERSION = "6"
|
||||||
|
@ -294,17 +363,15 @@ class ServerConfig(Config):
|
||||||
)
|
)
|
||||||
|
|
||||||
# Attempt to create an IPSet from the given ranges
|
# Attempt to create an IPSet from the given ranges
|
||||||
try:
|
|
||||||
self.ip_range_blacklist = IPSet(ip_range_blacklist)
|
|
||||||
except Exception as e:
|
|
||||||
raise ConfigError("Invalid range(s) provided in ip_range_blacklist.") from e
|
|
||||||
# Always blacklist 0.0.0.0, ::
|
|
||||||
self.ip_range_blacklist.update(["0.0.0.0", "::"])
|
|
||||||
|
|
||||||
try:
|
# Always blacklist 0.0.0.0, ::
|
||||||
self.ip_range_whitelist = IPSet(config.get("ip_range_whitelist", ()))
|
self.ip_range_blacklist = generate_ip_set(
|
||||||
except Exception as e:
|
ip_range_blacklist, ["0.0.0.0", "::"], config_path=("ip_range_blacklist",)
|
||||||
raise ConfigError("Invalid range(s) provided in ip_range_whitelist.") from e
|
)
|
||||||
|
|
||||||
|
self.ip_range_whitelist = generate_ip_set(
|
||||||
|
config.get("ip_range_whitelist", ()), config_path=("ip_range_whitelist",)
|
||||||
|
)
|
||||||
|
|
||||||
# The federation_ip_range_blacklist is used for backwards-compatibility
|
# The federation_ip_range_blacklist is used for backwards-compatibility
|
||||||
# and only applies to federation and identity servers. If it is not given,
|
# and only applies to federation and identity servers. If it is not given,
|
||||||
|
@ -312,14 +379,12 @@ class ServerConfig(Config):
|
||||||
federation_ip_range_blacklist = config.get(
|
federation_ip_range_blacklist = config.get(
|
||||||
"federation_ip_range_blacklist", ip_range_blacklist
|
"federation_ip_range_blacklist", ip_range_blacklist
|
||||||
)
|
)
|
||||||
try:
|
|
||||||
self.federation_ip_range_blacklist = IPSet(federation_ip_range_blacklist)
|
|
||||||
except Exception as e:
|
|
||||||
raise ConfigError(
|
|
||||||
"Invalid range(s) provided in federation_ip_range_blacklist."
|
|
||||||
) from e
|
|
||||||
# Always blacklist 0.0.0.0, ::
|
# Always blacklist 0.0.0.0, ::
|
||||||
self.federation_ip_range_blacklist.update(["0.0.0.0", "::"])
|
self.federation_ip_range_blacklist = generate_ip_set(
|
||||||
|
federation_ip_range_blacklist,
|
||||||
|
["0.0.0.0", "::"],
|
||||||
|
config_path=("federation_ip_range_blacklist",),
|
||||||
|
)
|
||||||
|
|
||||||
self.start_pushers = config.get("start_pushers", True)
|
self.start_pushers = config.get("start_pushers", True)
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,8 @@
|
||||||
|
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
from synapse.config.server import ServerConfig, is_threepid_reserved
|
from synapse.config._base import ConfigError
|
||||||
|
from synapse.config.server import ServerConfig, generate_ip_set, is_threepid_reserved
|
||||||
|
|
||||||
from tests import unittest
|
from tests import unittest
|
||||||
|
|
||||||
|
@ -128,3 +129,61 @@ class ServerConfigTestCase(unittest.TestCase):
|
||||||
)
|
)
|
||||||
|
|
||||||
self.assertEqual(conf["listeners"], expected_listeners)
|
self.assertEqual(conf["listeners"], expected_listeners)
|
||||||
|
|
||||||
|
|
||||||
|
class GenerateIpSetTestCase(unittest.TestCase):
|
||||||
|
def test_empty(self):
|
||||||
|
ip_set = generate_ip_set(())
|
||||||
|
self.assertFalse(ip_set)
|
||||||
|
|
||||||
|
ip_set = generate_ip_set((), ())
|
||||||
|
self.assertFalse(ip_set)
|
||||||
|
|
||||||
|
def test_generate(self):
|
||||||
|
"""Check adding IPv4 and IPv6 addresses."""
|
||||||
|
# IPv4 address
|
||||||
|
ip_set = generate_ip_set(("1.2.3.4",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 4)
|
||||||
|
|
||||||
|
# IPv4 CIDR
|
||||||
|
ip_set = generate_ip_set(("1.2.3.4/24",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 4)
|
||||||
|
|
||||||
|
# IPv6 address
|
||||||
|
ip_set = generate_ip_set(("2001:db8::8a2e:370:7334",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 1)
|
||||||
|
|
||||||
|
# IPv6 CIDR
|
||||||
|
ip_set = generate_ip_set(("2001:db8::/104",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 1)
|
||||||
|
|
||||||
|
# The addresses can overlap OK.
|
||||||
|
ip_set = generate_ip_set(("1.2.3.4", "::1.2.3.4"))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 4)
|
||||||
|
|
||||||
|
def test_extra(self):
|
||||||
|
"""Extra IP addresses are treated the same."""
|
||||||
|
ip_set = generate_ip_set((), ("1.2.3.4",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 4)
|
||||||
|
|
||||||
|
ip_set = generate_ip_set(("1.1.1.1",), ("1.2.3.4",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 8)
|
||||||
|
|
||||||
|
# They can duplicate without error.
|
||||||
|
ip_set = generate_ip_set(("1.2.3.4",), ("1.2.3.4",))
|
||||||
|
self.assertEqual(len(ip_set.iter_cidrs()), 4)
|
||||||
|
|
||||||
|
def test_bad_value(self):
|
||||||
|
"""An error should be raised if a bad value is passed in."""
|
||||||
|
with self.assertRaises(ConfigError):
|
||||||
|
generate_ip_set(("not-an-ip",))
|
||||||
|
|
||||||
|
with self.assertRaises(ConfigError):
|
||||||
|
generate_ip_set(("1.2.3.4/128",))
|
||||||
|
|
||||||
|
with self.assertRaises(ConfigError):
|
||||||
|
generate_ip_set((":::",))
|
||||||
|
|
||||||
|
# The following get treated as empty data.
|
||||||
|
self.assertFalse(generate_ip_set(None))
|
||||||
|
self.assertFalse(generate_ip_set({}))
|
||||||
|
|
Loading…
Reference in a new issue