Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

URL preview IP blacklist doesn't work on IPv6 and isn't bulletproof #4242

Closed
hawkowl opened this issue Nov 30, 2018 · 1 comment
Closed

URL preview IP blacklist doesn't work on IPv6 and isn't bulletproof #4242

hawkowl opened this issue Nov 30, 2018 · 1 comment
Assignees
@hawkowl
Labels
Security

Comments

@hawkowl
Copy link
Contributor

hawkowl commented Nov 30, 2018

We need to have another look at this, especially after #4215 , which changes where the IP blacklist check is done, and is potentially vulnerable to an attack where a super low TTL or no DNS caching can have the check pass on a non whitelisted IP and then the request be made to a refetched DNS query which has a blacklisted IP.
@hawkowl hawkowl mentioned this issue Nov 30, 2018
Merged
@hawkowl
Copy link
Contributor Author

hawkowl commented Dec 21, 2018

#4215 fixes this.

@hawkowl hawkowl closed this as completed Dec 21, 2018
turt2live added a commit to t2bot/matrix-media-repo that referenced this issue May 4, 2019
@turt2live
Security: Ensure OpenGraph URL previews make requests to a validated IP
ce7259f 
See matrix-org/synapse#4242 for some information - we were previously vulnerable to the short TTL problem. If someone were to take sufficient control of DNS, they could trick us into doing requests to a blacklisted host.

This also fixes a vulnerability where OpenGraph images were not passed through the same validation rules.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hawkowl hawkowl

Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@callahad @hawkowl