Blacklist 0.0.0.0 and :: by default for URL previews

This commit is contained in:
Richard van der Hoff 2019-05-03 13:46:50 +01:00
parent 35442efb75
commit 1a7104fde3
3 changed files with 28 additions and 15 deletions

1
changelog.d/5134.bugfix Normal file
View file

@ -0,0 +1 @@
Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for identifying and responsibly disclosing this issue too!

View file

@ -506,11 +506,12 @@ uploads_path: "DATADIR/uploads"
# height: 600 # height: 600
# method: scale # method: scale
# Is the preview URL API enabled? If enabled, you *must* specify # Is the preview URL API enabled?
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
# #
#url_preview_enabled: false # 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
#url_preview_enabled: true
# List of IP address CIDR ranges that the URL preview spider is denied # List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly # from accessing. There are no defaults: you must explicitly
@ -520,6 +521,9 @@ uploads_path: "DATADIR/uploads"
# synapse to issue arbitrary GET requests to your internal services, # synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues. # causing serious security issues.
# #
# This must be specified if url_preview_enabled. It is recommended that you
# uncomment the following list as a starting point.
#
#url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'
@ -530,7 +534,7 @@ uploads_path: "DATADIR/uploads"
# - '::1/128' # - '::1/128'
# - 'fe80::/64' # - 'fe80::/64'
# - 'fc00::/7' # - 'fc00::/7'
#
# List of IP address CIDR ranges that the URL preview spider is allowed # List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist. # to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted # This is useful for specifying exceptions to wide-ranging blacklisted

View file

@ -186,17 +186,21 @@ class ContentRepositoryConfig(Config):
except ImportError: except ImportError:
raise ConfigError(MISSING_NETADDR) raise ConfigError(MISSING_NETADDR)
if "url_preview_ip_range_blacklist" in config: if "url_preview_ip_range_blacklist" not in config:
self.url_preview_ip_range_blacklist = IPSet(
config["url_preview_ip_range_blacklist"]
)
else:
raise ConfigError( raise ConfigError(
"For security, you must specify an explicit target IP address " "For security, you must specify an explicit target IP address "
"blacklist in url_preview_ip_range_blacklist for url previewing " "blacklist in url_preview_ip_range_blacklist for url previewing "
"to work" "to work"
) )
self.url_preview_ip_range_blacklist = IPSet(
config["url_preview_ip_range_blacklist"]
)
# we always blacklist '0.0.0.0' and '::', which are supposed to be
# unroutable addresses.
self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::'])
self.url_preview_ip_range_whitelist = IPSet( self.url_preview_ip_range_whitelist = IPSet(
config.get("url_preview_ip_range_whitelist", ()) config.get("url_preview_ip_range_whitelist", ())
) )
@ -260,11 +264,12 @@ class ContentRepositoryConfig(Config):
#thumbnail_sizes: #thumbnail_sizes:
%(formatted_thumbnail_sizes)s %(formatted_thumbnail_sizes)s
# Is the preview URL API enabled? If enabled, you *must* specify # Is the preview URL API enabled?
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
# #
#url_preview_enabled: false # 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
#url_preview_enabled: true
# List of IP address CIDR ranges that the URL preview spider is denied # List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly # from accessing. There are no defaults: you must explicitly
@ -274,6 +279,9 @@ class ContentRepositoryConfig(Config):
# synapse to issue arbitrary GET requests to your internal services, # synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues. # causing serious security issues.
# #
# This must be specified if url_preview_enabled. It is recommended that you
# uncomment the following list as a starting point.
#
#url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'
@ -284,7 +292,7 @@ class ContentRepositoryConfig(Config):
# - '::1/128' # - '::1/128'
# - 'fe80::/64' # - 'fe80::/64'
# - 'fc00::/7' # - 'fc00::/7'
#
# List of IP address CIDR ranges that the URL preview spider is allowed # List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist. # to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted # This is useful for specifying exceptions to wide-ranging blacklisted