Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Blacklist 0.0.0.0 and :: by default for URL previews #5134

Merged
merged 2 commits into from
May 3, 2019
Merged

Blacklist 0.0.0.0 and :: by default for URL previews #5134

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1a7104f
Blacklist 0.0.0.0 and :: by default for URL previews
richvdh May 3, 2019
1565ebe
more config comment updates
richvdh May 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5134.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for identifying and responsibly disclosing this issue too!
14 changes: 9 additions & 5 deletions docs/sample_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -506,11 +506,12 @@ uploads_path: "DATADIR/uploads"
# height: 600
# method: scale

# Is the preview URL API enabled? If enabled, you *must* specify
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
# Is the preview URL API enabled?
#
#url_preview_enabled: false
# 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
#url_preview_enabled: true

# List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly
Expand All @@ -520,6 +521,9 @@ uploads_path: "DATADIR/uploads"
# synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues.
#
# This must be specified if url_preview_enabled. It is recommended that you
# uncomment the following list as a starting point.
#
#url_preview_ip_range_blacklist:
# - '127.0.0.0/8'
# - '10.0.0.0/8'
Expand All @@ -530,7 +534,7 @@ uploads_path: "DATADIR/uploads"
# - '::1/128'
# - 'fe80::/64'
# - 'fc00::/7'
#

# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted
Expand Down
28 changes: 18 additions & 10 deletions synapse/config/repository.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,17 +186,21 @@ def read_config(self, config):
except ImportError:
raise ConfigError(MISSING_NETADDR)

if "url_preview_ip_range_blacklist" in config:
self.url_preview_ip_range_blacklist = IPSet(
config["url_preview_ip_range_blacklist"]
)
else:
if "url_preview_ip_range_blacklist" not in config:
raise ConfigError(
"For security, you must specify an explicit target IP address "
"blacklist in url_preview_ip_range_blacklist for url previewing "
"to work"
)

self.url_preview_ip_range_blacklist = IPSet(
config["url_preview_ip_range_blacklist"]
)

# we always blacklist '0.0.0.0' and '::', which are supposed to be
# unroutable addresses.
self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::'])

self.url_preview_ip_range_whitelist = IPSet(
config.get("url_preview_ip_range_whitelist", ())
)
Expand Down Expand Up @@ -260,11 +264,12 @@ def default_config(self, data_dir_path, **kwargs):
#thumbnail_sizes:
%(formatted_thumbnail_sizes)s

# Is the preview URL API enabled? If enabled, you *must* specify
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
# Is the preview URL API enabled?
#
#url_preview_enabled: false
# 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
#url_preview_enabled: true

# List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly
Expand All @@ -274,6 +279,9 @@ def default_config(self, data_dir_path, **kwargs):
# synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues.
#
# This must be specified if url_preview_enabled. It is recommended that you
# uncomment the following list as a starting point.
#
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be sensible to add something like "0.0.0.0 and :: are always blacklisted" somewhere around here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

#url_preview_ip_range_blacklist:
# - '127.0.0.0/8'
# - '10.0.0.0/8'
Expand All @@ -284,7 +292,7 @@ def default_config(self, data_dir_path, **kwargs):
# - '::1/128'
# - 'fe80::/64'
# - 'fc00::/7'
#

# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted
Expand Down