add a url_preview_ip_range_whitelist config param so we can whitelist the matrix.org IP space

This commit is contained in:
Matthew Hodgson 2016-05-01 12:44:24 +01:00
parent 56aae0eaf5
commit 792def4928
3 changed files with 27 additions and 7 deletions

View File

@ -100,6 +100,11 @@ class ContentRepositoryConfig(Config):
"to work" "to work"
) )
if "url_preview_ip_range_whitelist" in config:
self.url_preview_ip_range_whitelist = IPSet(
config["url_preview_ip_range_whitelist"]
)
if "url_preview_url_blacklist" in config: if "url_preview_url_blacklist" in config:
self.url_preview_url_blacklist = config["url_preview_url_blacklist"] self.url_preview_url_blacklist = config["url_preview_url_blacklist"]
@ -162,6 +167,15 @@ class ContentRepositoryConfig(Config):
# - '10.0.0.0/8' # - '10.0.0.0/8'
# - '172.16.0.0/12' # - '172.16.0.0/12'
# - '192.168.0.0/16' # - '192.168.0.0/16'
#
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted
# target IP ranges - e.g. for enabling URL previews for a specific private
# website only visible in your network.
#
# url_preview_ip_range_whitelist:
# - '192.168.1.1'
# Optional list of URL matches that the URL preview spider is # Optional list of URL matches that the URL preview spider is
# denied from accessing. You should use url_preview_ip_range_blacklist # denied from accessing. You should use url_preview_ip_range_blacklist

View File

@ -380,13 +380,15 @@ class CaptchaServerHttpClient(SimpleHttpClient):
class SpiderEndpointFactory(object): class SpiderEndpointFactory(object):
def __init__(self, hs): def __init__(self, hs):
self.blacklist = hs.config.url_preview_ip_range_blacklist self.blacklist = hs.config.url_preview_ip_range_blacklist
if hasattr(hs.config, "url_preview_ip_range_whitelist"):
self.whitelist = hs.config.url_preview_ip_range_whitelist
self.policyForHTTPS = hs.get_http_client_context_factory() self.policyForHTTPS = hs.get_http_client_context_factory()
def endpointForURI(self, uri): def endpointForURI(self, uri):
logger.info("Getting endpoint for %s", uri.toBytes()) logger.info("Getting endpoint for %s", uri.toBytes())
if uri.scheme == "http": if uri.scheme == "http":
return SpiderEndpoint( return SpiderEndpoint(
reactor, uri.host, uri.port, self.blacklist, reactor, uri.host, uri.port, self.blacklist, self.whitelist,
endpoint=TCP4ClientEndpoint, endpoint=TCP4ClientEndpoint,
endpoint_kw_args={ endpoint_kw_args={
'timeout': 15 'timeout': 15
@ -395,7 +397,7 @@ class SpiderEndpointFactory(object):
elif uri.scheme == "https": elif uri.scheme == "https":
tlsPolicy = self.policyForHTTPS.creatorForNetloc(uri.host, uri.port) tlsPolicy = self.policyForHTTPS.creatorForNetloc(uri.host, uri.port)
return SpiderEndpoint( return SpiderEndpoint(
reactor, uri.host, uri.port, self.blacklist, reactor, uri.host, uri.port, self.blacklist, self.whitelist,
endpoint=SSL4ClientEndpoint, endpoint=SSL4ClientEndpoint,
endpoint_kw_args={ endpoint_kw_args={
'sslContextFactory': tlsPolicy, 'sslContextFactory': tlsPolicy,

View File

@ -79,12 +79,13 @@ class SpiderEndpoint(object):
"""An endpoint which refuses to connect to blacklisted IP addresses """An endpoint which refuses to connect to blacklisted IP addresses
Implements twisted.internet.interfaces.IStreamClientEndpoint. Implements twisted.internet.interfaces.IStreamClientEndpoint.
""" """
def __init__(self, reactor, host, port, blacklist, def __init__(self, reactor, host, port, blacklist, whitelist,
endpoint=TCP4ClientEndpoint, endpoint_kw_args={}): endpoint=TCP4ClientEndpoint, endpoint_kw_args={}):
self.reactor = reactor self.reactor = reactor
self.host = host self.host = host
self.port = port self.port = port
self.blacklist = blacklist self.blacklist = blacklist
self.whitelist = whitelist
self.endpoint = endpoint self.endpoint = endpoint
self.endpoint_kw_args = endpoint_kw_args self.endpoint_kw_args = endpoint_kw_args
@ -93,7 +94,10 @@ class SpiderEndpoint(object):
address = yield self.reactor.resolve(self.host) address = yield self.reactor.resolve(self.host)
from netaddr import IPAddress from netaddr import IPAddress
if IPAddress(address) in self.blacklist: ip_address = IPAddress(address)
if ip_address in self.blacklist:
if self.whitelist is None or ip_address not in self.whitelist:
raise ConnectError( raise ConnectError(
"Refusing to spider blacklisted IP address %s" % address "Refusing to spider blacklisted IP address %s" % address
) )