Ability to blacklist ip ranges for federation traffic

changelog.d/5043.feature

@@ -0,0 +1 @@
+Add ability to blacklist IP ranges for the federation client.

docs/sample_config.yaml

@@ -101,6 +101,20 @@ pid_file: DATADIR/homeserver.pid
 #  - nyc.example.com
 #  - syd.example.com
 
+# Prevent federation requests from being sent to the following
+# blacklist IP address CIDR ranges.
+#
+#federation_ip_range_blacklist:
+#  - '127.0.0.0/8'
+#  - '10.0.0.0/8'
+#  - '172.16.0.0/12'
+#  - '192.168.0.0/16'
+#  - '100.64.0.0/10'
+#  - '169.254.0.0/16'
+#  - '::1/128'
+#  - 'fe80::/64'
+#  - 'fc00::/7'
+
 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 #

synapse/config/server.py

@@ -122,6 +122,30 @@ def read_config(self, config):
             for domain in federation_domain_whitelist:
                 self.federation_domain_whitelist[domain] = True
 
+        self.federation_ip_range_blacklist = config.get(
+            "federation_ip_range_blacklist", None,
+        )
+        if self.federation_ip_range_blacklist is not None:
+            # Import IPSet
+            try:
+                from netaddr import IPSet
+            except ImportError:
+                raise ConfigError(
+                    "Missing netaddr library. This is required to use "
+                    "federation_ip_range_blacklist"
+                )
+
+            # Attempt to create an IPSet from the given ranges
+            try:
+                self.federation_ip_range_blacklist = IPSet(
+                    self.federation_ip_range_blacklist
+                )
+            except Exception as e:
+                raise ConfigError(
+                    "Invalid range(s) provided in "
+                    "federation_ip_range_blacklist: %s" % e
+                )
+
         if self.public_baseurl is not None:
             if self.public_baseurl[-1] != '/':
                 self.public_baseurl += '/'
@@ -351,6 +375,20 @@ def default_config(self, server_name, data_dir_path, **kwargs):
         #  - nyc.example.com
         #  - syd.example.com
 
+        # Prevent federation requests from being sent to the following
+        # blacklist IP address CIDR ranges.
+        #
+        #federation_ip_range_blacklist:
+        #  - '127.0.0.0/8'
+        #  - '10.0.0.0/8'
+        #  - '172.16.0.0/12'
+        #  - '192.168.0.0/16'
+        #  - '100.64.0.0/10'
+        #  - '169.254.0.0/16'
+        #  - '::1/128'
+        #  - 'fe80::/64'
+        #  - 'fc00::/7'
+
         # List of ports that Synapse should listen on, their purpose and their
         # configuration.
         #

synapse/http/client.py

@@ -76,16 +76,18 @@ class IPBlacklistingResolver(object):
     addresses, preventing DNS rebinding attacks on URL preview.
     """
 
-    def __init__(self, reactor, ip_whitelist, ip_blacklist):
+    def __init__(self, reactor, ip_whitelist, ip_blacklist, federation=False):
         """
         Args:
             reactor (twisted.internet.reactor)
             ip_whitelist (netaddr.IPSet)
             ip_blacklist (netaddr.IPSet)
+            federation (bool): this resolver is for federation traffic
         """
         self._reactor = reactor
         self._ip_whitelist = ip_whitelist
         self._ip_blacklist = ip_blacklist
+        self._from_federation = federation
 
     def resolveHostName(self, recv, hostname, portNumber=0):
 
@@ -109,7 +111,12 @@ def addressResolved(address):
                     logger.info(
                         "Dropped %s from DNS resolution to %s" % (ip_address, hostname)
                     )
-                    raise SynapseError(403, "IP address blocked by IP blacklist entry")
+                    # Only raise a 403 if this request originated from a
+                    # client-server call
+                    if not self._from_federation:
+                        raise SynapseError(403,
+                                           "IP address blocked by IP blacklist entry")
+                    return
 
                 addresses.append(address)
 

synapse/http/matrixfederationclient.py

@@ -27,9 +27,11 @@
 from canonicaljson import encode_canonical_json
 from prometheus_client import Counter
 from signedjson.sign import sign_json
+from zope.interface import implementer
 
 from twisted.internet import defer, protocol
 from twisted.internet.error import DNSLookupError
+from twisted.internet.interfaces import IReactorPluggableNameResolver
 from twisted.internet.task import _EPSILON, Cooperator
 from twisted.web._newclient import ResponseDone
 from twisted.web.http_headers import Headers
@@ -44,6 +46,7 @@
     SynapseError,
 )
 from synapse.http import QuieterFileBodyProducer
+from synapse.http.client import BlacklistingAgentWrapper, IPBlacklistingResolver
 from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
 from synapse.util.async_helpers import timeout_deferred
 from synapse.util.logcontext import make_deferred_yieldable
@@ -172,19 +175,51 @@ def __init__(self, hs, tls_client_options_factory):
         self.hs = hs
         self.signing_key = hs.config.signing_key[0]
         self.server_name = hs.hostname
-        reactor = hs.get_reactor()
 
-        self.agent = MatrixFederationAgent(
-            hs.get_reactor(),
-            tls_client_options_factory,
-        )
+        if hs.config.federation_ip_range_blacklist is not None:
+            real_reactor = hs.get_reactor()
+            # If we have an IP blacklist, we need to use a DNS resolver which
+            # filters out blacklisted IP addresses, to prevent DNS rebinding.
+            nameResolver = IPBlacklistingResolver(
+                real_reactor, None, hs.config.federation_ip_range_blacklist,
+                federation=True,
+            )
+
+            @implementer(IReactorPluggableNameResolver)
+            class Reactor(object):
+                def __getattr__(_self, attr):
+                    if attr == "nameResolver":
+                        return nameResolver
+                    else:
+                        return getattr(real_reactor, attr)
+
+            self.reactor = Reactor()
+
+            self.agent = MatrixFederationAgent(
+                self.reactor,
+                tls_client_options_factory,
+            )
+
+            # Prevent direct connections to blacklisted IP addresses
+            self.agent = BlacklistingAgentWrapper(
+                self.agent, self.reactor,
+                ip_blacklist=hs.config.federation_ip_range_blacklist,
+            )
+        else:
+            self.reactor = hs.get_reactor()
+
+            self.agent = MatrixFederationAgent(
+                self.reactor,
+                tls_client_options_factory,
+            )
+
         self.clock = hs.get_clock()
         self._store = hs.get_datastore()
         self.version_string_bytes = hs.version_string.encode('ascii')
         self.default_timeout = 60
 
         def schedule(x):
-            reactor.callLater(_EPSILON, x)
+            self.reactor.callLater(_EPSILON, x)
 
         self._cooperator = Cooperator(scheduler=schedule)
 
@@ -370,7 +405,7 @@ def _send_request(
                             request_deferred = timeout_deferred(
                                 request_deferred,
                                 timeout=_sec_timeout,
-                                reactor=self.hs.get_reactor(),
+                                reactor=self.reactor,
                             )
 
                             response = yield request_deferred
@@ -397,7 +432,7 @@ def _send_request(
                         d = timeout_deferred(
                             d,
                             timeout=_sec_timeout,
-                            reactor=self.hs.get_reactor(),
+                            reactor=self.reactor,
                         )
 
                         try:
@@ -586,7 +621,7 @@ def put_json(self, destination, path, args={}, data={},
         )
 
         body = yield _handle_json_response(
-            self.hs.get_reactor(), self.default_timeout, request, response,
+            self.reactor, self.default_timeout, request, response,
         )
 
         defer.returnValue(body)
@@ -645,7 +680,7 @@ def post_json(self, destination, path, data={}, long_retries=False,
             _sec_timeout = self.default_timeout
 
         body = yield _handle_json_response(
-            self.hs.get_reactor(), _sec_timeout, request, response,
+            self.reactor, _sec_timeout, request, response,
         )
         defer.returnValue(body)
 
@@ -704,7 +739,7 @@ def get_json(self, destination, path, args=None, retry_on_dns_fail=True,
         )
 
         body = yield _handle_json_response(
-            self.hs.get_reactor(), self.default_timeout, request, response,
+            self.reactor, self.default_timeout, request, response,
         )
 
         defer.returnValue(body)
@@ -753,7 +788,7 @@ def delete_json(self, destination, path, long_retries=False,
         )
 
         body = yield _handle_json_response(
-            self.hs.get_reactor(), self.default_timeout, request, response,
+            self.reactor, self.default_timeout, request, response,
         )
         defer.returnValue(body)
 
@@ -801,7 +836,7 @@ def get_file(self, destination, path, output_stream, args={},
 
         try:
             d = _readBodyToFile(response, output_stream, max_size)
-            d.addTimeout(self.default_timeout, self.hs.get_reactor())
+            d.addTimeout(self.default_timeout, self.reactor)
             length = yield make_deferred_yieldable(d)
         except Exception as e:
             logger.warn(

tests/http/test_fedclient.py

@@ -78,7 +78,7 @@ def do_request():
         # Nothing happened yet
         self.assertNoResult(test_d)
 
-        # Make sure treq is trying to connect
+        # Make sure the req is trying to connect
         clients = self.reactor.tcpClients
         self.assertEqual(len(clients), 1)
         (host, port, factory, _timeout, _bindAddress) = clients[0]
@@ -211,6 +211,110 @@ def test_client_connect_no_response(self):
         self.assertIsInstance(f.value, RequestSendFailed)
         self.assertIsInstance(f.value.inner_exception, ResponseNeverReceived)
 
+    def test_client_ip_range_blacklist(self):
+        """Ensure that Synapse does not try to connect to blacklisted IPs"""
+        # Set up the ip_range blacklist
+        from netaddr import IPSet
+
+        self.hs.config.federation_ip_range_blacklist = IPSet([
+            "127.0.0.0/8",
+            "fe80::/64",
+        ])
+        self.reactor.lookups["internal"] = "127.0.0.1"
+        self.reactor.lookups["internalv6"] = "fe80:0:0:0:0:8a2e:370:7337"
+        self.reactor.lookups["fine"] = "10.20.30.40"
+        cl = MatrixFederationHttpClient(self.hs, None)
+
+        # Try making a GET request to a blacklisted IPv4 address
+        # ------------------------------------------------------
+        @defer.inlineCallbacks
+        def do_request():
+            with LoggingContext("one") as context:
+                fetch_d = cl.get_json("internal:8008", "foo/bar")
+
+                # Nothing happened yet
+                self.assertNoResult(fetch_d)
+
+                # should have reset logcontext to the sentinel
+                check_logcontext(LoggingContext.sentinel)
+
+                try:
+                    fetch_res = yield fetch_d
+                    defer.returnValue(fetch_res)
+                finally:
+                    check_logcontext(context)
+
+        # Make the request
+        d = do_request()
+        self.pump()
+
+        # Nothing has happened yet
+        self.assertNoResult(d)
+
+        # Check that it was unable to resolve the address
+        clients = self.reactor.tcpClients
+        self.assertEqual(len(clients), 0)
+
+        # Try making a POST request to a blacklisted IPv6 address
+        # -------------------------------------------------------
+        @defer.inlineCallbacks
+        def do_request():
+            with LoggingContext("one") as context:
+                fetch_d = cl.post_json("internalv6:8008", "foo/bar")
+
+                # Nothing happened yet
+                self.assertNoResult(fetch_d)
+
+                # should have reset logcontext to the sentinel
+                check_logcontext(LoggingContext.sentinel)
+
+                try:
+                    fetch_res = yield fetch_d
+                    defer.returnValue(fetch_res)
+                finally:
+                    check_logcontext(context)
+
+        # Make the request
+        d = do_request()
+        self.pump()
+
+        # Nothing has happened yet
+        self.assertNoResult(d)
+
+        # Check that it was unable to resolve the address
+        clients = self.reactor.tcpClients
+        self.assertEqual(len(clients), 0)
+
+        # Try making a GET request to a non-blacklisted IPv4 address
+        # ----------------------------------------------------------
+        @defer.inlineCallbacks
+        def do_request():
+            with LoggingContext("one") as context:
+                fetch_d = cl.post_json("fine:8008", "foo/bar")
+
+                # Nothing happened yet
+                self.assertNoResult(fetch_d)
+
+                # should have reset logcontext to the sentinel
+                check_logcontext(LoggingContext.sentinel)
+
+                try:
+                    fetch_res = yield fetch_d
+                    defer.returnValue(fetch_res)
+                finally:
+                    check_logcontext(context)
+
+        # Make the request
+        d = do_request()
+        self.pump()
+
+        # Nothing has happened yet
+        self.assertNoResult(d)
+
+        # Check that it was able to resolve the address
+        clients = self.reactor.tcpClients
+        self.assertEqual(len(clients), 1)
+
     def test_client_gets_headers(self):
         """
         Once the client gets the headers, _request returns successfully.