From 52ccad04a667ad26a0200f63b37aac2ff376e777 Mon Sep 17 00:00:00 2001 From: strawberry Date: Fri, 26 Jul 2024 00:45:23 -0400 Subject: [PATCH] apply `forbidden_remote_server_names` to outbound sending and inbound federation handling Signed-off-by: strawberry --- conduwuit-example.toml | 8 +++++--- src/api/router/auth.rs | 15 +++++++++++++-- src/service/sending/send.rs | 13 ++++++++++++- 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/conduwuit-example.toml b/conduwuit-example.toml index fdf53783..553f62a1 100644 --- a/conduwuit-example.toml +++ b/conduwuit-example.toml @@ -224,9 +224,11 @@ registration_token = "change this token for something specific to your server" # No default. # forbidden_alias_names = [] -# List of forbidden server names that we will block all client room joins, incoming federated room directory requests, incoming federated invites for, and incoming federated joins. This check is applied on the room ID, room alias, sender server name, and sender user's server name. -# Basically "global" ACLs. For our user (client) checks, admin users are allowed. -# No default. +# List of forbidden server names that we will block incoming AND outgoing federation with, and block client room joins / remote user invites. +# +# This check is applied on the room ID, room alias, sender server name, sender user's server name, inbound federation X-Matrix origin, and outbound federation handler. +# +# Basically "global" ACLs. No default. # forbidden_remote_server_names = [] # List of forbidden server names that we will block all outgoing federated room directory requests for. Useful for preventing our users from wandering into bad servers or spaces. diff --git a/src/api/router/auth.rs b/src/api/router/auth.rs index 838c5e79..fe98e458 100644 --- a/src/api/router/auth.rs +++ b/src/api/router/auth.rs @@ -6,7 +6,7 @@ use axum_extra::{ typed_header::TypedHeaderRejectionReason, TypedHeader, }; -use conduit::{warn, Err, Error, Result}; +use conduit::{debug_info, warn, Err, Error, Result}; use http::uri::PathAndQuery; use ruma::{ api::{client::error::ErrorKind, AuthScheme, Metadata}, @@ -185,7 +185,7 @@ fn auth_appservice(services: &Services, request: &Request, info: Box, ) -> Result { - if !services.globals.allow_federation() { + if !services.server.config.allow_federation { return Err!(Config("allow_federation", "Federation is disabled.")); } @@ -206,6 +206,17 @@ async fn auth_server( })?; let origin = &x_matrix.origin; + + if services + .server + .config + .forbidden_remote_server_names + .contains(origin) + { + debug_info!("Refusing to accept inbound federation request to {origin}"); + return Err!(Request(Forbidden("Federation with this homeserver is not allowed."))); + } + let signatures = BTreeMap::from_iter([(x_matrix.key.clone(), CanonicalJsonValue::String(x_matrix.sig.to_string()))]); let signatures = BTreeMap::from_iter([( diff --git a/src/service/sending/send.rs b/src/service/sending/send.rs index 8fd467f6..7feec613 100644 --- a/src/service/sending/send.rs +++ b/src/service/sending/send.rs @@ -1,7 +1,8 @@ use std::{fmt::Debug, mem}; use conduit::{ - debug, debug_error, debug_warn, err, error::inspect_debug_log, trace, utils::string::EMPTY, Err, Error, Result, + debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, trace, utils::string::EMPTY, Err, Error, + Result, }; use http::{header::AUTHORIZATION, HeaderValue}; use ipaddress::IPAddress; @@ -31,6 +32,16 @@ impl super::Service { return Err!(Config("allow_federation", "Federation is disabled.")); } + if self + .server + .config + .forbidden_remote_server_names + .contains(&dest.to_owned()) + { + debug_info!("Refusing to send outbound federation request to {dest}"); + return Err!(Request(Forbidden("Federation with this homeserver is not allowed."))); + } + let actual = self.services.resolver.get_actual_dest(dest).await?; let request = self.prepare::(dest, &actual, req).await?; self.execute::(dest, &actual, request, client).await