Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add warnings to ip_range_blacklist usage with proxies #10129

Merged
merged 8 commits into from
Aug 3, 2021
1 change: 1 addition & 0 deletions changelog.d/10129.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add some clarification to the sample config file. Contributed by @Kentokamoto.
4 changes: 4 additions & 0 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ presence:
#
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
#
# Note: The value is ignored when an HTTP proxy is in use
#
#ip_range_blacklist:
# - '127.0.0.0/8'
# - '10.0.0.0/8'
Expand Down Expand Up @@ -1008,6 +1010,8 @@ media_store_path: "DATADIR/media_store"
# This must be specified if url_preview_enabled is set. It is recommended that
# you uncomment the following list as a starting point.
#
# Note: The value is ignored when an HTTP proxy is in use
#
#url_preview_ip_range_blacklist:
# - '127.0.0.0/8'
# - '10.0.0.0/8'
Expand Down
24 changes: 19 additions & 5 deletions synapse/config/repository.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.

import logging
import os
from collections import namedtuple
from typing import Dict, List
from urllib.request import getproxies_environment

from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
from synapse.python_dependencies import DependencyException, check_requirements
from synapse.util.module_loader import load_module

from ._base import Config, ConfigError

logger = logging.getLogger(__name__)

DEFAULT_THUMBNAIL_SIZES = [
{"width": 32, "height": 32, "method": "crop"},
{"width": 96, "height": 96, "method": "crop"},
Expand All @@ -36,6 +40,9 @@
# method: %(method)s
"""

HTTP_PROXY_SET_WARNING = """\
The Synapse config url_preview_ip_range_blacklist will be ignored as an HTTP(s) proxy is configured."""

ThumbnailRequirement = namedtuple(
"ThumbnailRequirement", ["width", "height", "method", "media_type"]
)
Expand Down Expand Up @@ -180,12 +187,17 @@ def read_config(self, config, **kwargs):
e.message # noqa: B306, DependencyException.message is a property
)

proxy_env = getproxies_environment()
if "url_preview_ip_range_blacklist" not in config:
raise ConfigError(
"For security, you must specify an explicit target IP address "
"blacklist in url_preview_ip_range_blacklist for url previewing "
"to work"
)
if "http" not in proxy_env or "https" not in proxy_env:
raise ConfigError(
"For security, you must specify an explicit target IP address "
"blacklist in url_preview_ip_range_blacklist for url previewing "
"to work"
)
else:
if "http" in proxy_env or "https" in proxy_env:
logger.warning("".join(HTTP_PROXY_SET_WARNING))

# we always blacklist '0.0.0.0' and '::', which are supposed to be
# unroutable addresses.
Expand Down Expand Up @@ -288,6 +300,8 @@ def generate_config_section(self, data_dir_path, **kwargs):
# This must be specified if url_preview_enabled is set. It is recommended that
# you uncomment the following list as a starting point.
#
# Note: The value is ignored when an HTTP proxy is in use
#
#url_preview_ip_range_blacklist:
%(ip_range_blacklist)s

Expand Down
2 changes: 2 additions & 0 deletions synapse/config/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -959,6 +959,8 @@ def generate_config_section(
#
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
#
# Note: The value is ignored when an HTTP proxy is in use
#
#ip_range_blacklist:
%(ip_range_blacklist)s

Expand Down