Use the federation blacklist for requests to untrusted Identity Servers (#6000)

Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses. Fixes #5935
2025-05-02 22:14:55 -04:00 · 2019-09-23 21:23:20 +02:00 · 2019-09-23 21:23:20 +02:00 · e08ea43463
commit e08ea43463
parent 1ea3ed7620
5 changed files with 28 additions and 4 deletions
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@ -31,6 +31,7 @@ from synapse.api.errors import (
    SynapseError,
 )
 from synapse.config.emailconfig import ThreepidBehaviour
+from synapse.http.client import SimpleHttpClient
 from synapse.util.stringutils import random_string

 from ._base import BaseHandler
@ -42,7 +43,12 @@ class IdentityHandler(BaseHandler):
    def __init__(self, hs):
        super(IdentityHandler, self).__init__(hs)

-        self.http_client = hs.get_simple_http_client()
+        self.http_client = SimpleHttpClient(hs)
+        # We create a blacklisting instance of SimpleHttpClient for contacting identity
+        # servers specified by clients
+        self.blacklisting_http_client = SimpleHttpClient(
+            hs, ip_blacklist=hs.config.federation_ip_range_blacklist
+        )
        self.federation_http_client = hs.get_http_client()
        self.hs = hs

@ -143,7 +149,9 @@ class IdentityHandler(BaseHandler):
            bind_url = "https://%s/_matrix/identity/api/v1/3pid/bind" % (id_server,)

        try:
-            data = yield self.http_client.post_json_get_json(
+            # Use the blacklisting http client as this call is only to identity servers
+            # provided by a client
+            data = yield self.blacklisting_http_client.post_json_get_json(
                bind_url, bind_data, headers=headers
            )

@ -246,7 +254,11 @@ class IdentityHandler(BaseHandler):
        headers = {b"Authorization": auth_headers}

        try:
-            yield self.http_client.post_json_get_json(url, content, headers)
+            # Use the blacklisting http client as this call is only to identity servers
+            # provided by a client
+            yield self.blacklisting_http_client.post_json_get_json(
+                url, content, headers
+            )
            changed = True
        except HttpResponseException as e:
            changed = False