Add warnings to ip_range_blacklist usage with proxies (#10129)

Per issue #9812 using `url_preview_ip_range_blacklist` with a proxy via `HTTPS_PROXY` or `HTTP_PROXY` environment variables has some inconsistent bahavior than mentioned. This PR changes the following:

- Changes the Sample Config file to include a note mentioning that `url_preview_ip_range_blacklist` and `ip_range_blacklist` is ignored when using a proxy
- Changes some logic in synapse/config/repository.py to send a warning when both `*ip_range_blacklist` configs and a proxy environment variable are set and but no longer throws an error.

Signed-off-by: Kento Okamoto <kentokamoto@protonmail.com>
This commit is contained in:
Kento Okamoto 2021-08-03 11:13:34 -07:00 committed by GitHub
parent 951648f26a
commit 72935b7c50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 26 additions and 5 deletions

1
changelog.d/10129.bugfix Normal file
View File

@ -0,0 +1 @@
Add some clarification to the sample config file. Contributed by @Kentokamoto.

View File

@ -210,6 +210,8 @@ presence:
# #
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
# #
# Note: The value is ignored when an HTTP proxy is in use
#
#ip_range_blacklist: #ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'
@ -972,6 +974,8 @@ media_store_path: "DATADIR/media_store"
# This must be specified if url_preview_enabled is set. It is recommended that # This must be specified if url_preview_enabled is set. It is recommended that
# you uncomment the following list as a starting point. # you uncomment the following list as a starting point.
# #
# Note: The value is ignored when an HTTP proxy is in use
#
#url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'

View File

@ -12,9 +12,11 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import logging
import os import os
from collections import namedtuple from collections import namedtuple
from typing import Dict, List from typing import Dict, List
from urllib.request import getproxies_environment # type: ignore
from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
from synapse.python_dependencies import DependencyException, check_requirements from synapse.python_dependencies import DependencyException, check_requirements
@ -22,6 +24,8 @@ from synapse.util.module_loader import load_module
from ._base import Config, ConfigError from ._base import Config, ConfigError
logger = logging.getLogger(__name__)
DEFAULT_THUMBNAIL_SIZES = [ DEFAULT_THUMBNAIL_SIZES = [
{"width": 32, "height": 32, "method": "crop"}, {"width": 32, "height": 32, "method": "crop"},
{"width": 96, "height": 96, "method": "crop"}, {"width": 96, "height": 96, "method": "crop"},
@ -36,6 +40,9 @@ THUMBNAIL_SIZE_YAML = """\
# method: %(method)s # method: %(method)s
""" """
HTTP_PROXY_SET_WARNING = """\
The Synapse config url_preview_ip_range_blacklist will be ignored as an HTTP(s) proxy is configured."""
ThumbnailRequirement = namedtuple( ThumbnailRequirement = namedtuple(
"ThumbnailRequirement", ["width", "height", "method", "media_type"] "ThumbnailRequirement", ["width", "height", "method", "media_type"]
) )
@ -180,12 +187,17 @@ class ContentRepositoryConfig(Config):
e.message # noqa: B306, DependencyException.message is a property e.message # noqa: B306, DependencyException.message is a property
) )
proxy_env = getproxies_environment()
if "url_preview_ip_range_blacklist" not in config: if "url_preview_ip_range_blacklist" not in config:
raise ConfigError( if "http" not in proxy_env or "https" not in proxy_env:
"For security, you must specify an explicit target IP address " raise ConfigError(
"blacklist in url_preview_ip_range_blacklist for url previewing " "For security, you must specify an explicit target IP address "
"to work" "blacklist in url_preview_ip_range_blacklist for url previewing "
) "to work"
)
else:
if "http" in proxy_env or "https" in proxy_env:
logger.warning("".join(HTTP_PROXY_SET_WARNING))
# we always blacklist '0.0.0.0' and '::', which are supposed to be # we always blacklist '0.0.0.0' and '::', which are supposed to be
# unroutable addresses. # unroutable addresses.
@ -292,6 +304,8 @@ class ContentRepositoryConfig(Config):
# This must be specified if url_preview_enabled is set. It is recommended that # This must be specified if url_preview_enabled is set. It is recommended that
# you uncomment the following list as a starting point. # you uncomment the following list as a starting point.
# #
# Note: The value is ignored when an HTTP proxy is in use
#
#url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
%(ip_range_blacklist)s %(ip_range_blacklist)s

View File

@ -960,6 +960,8 @@ class ServerConfig(Config):
# #
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
# #
# Note: The value is ignored when an HTTP proxy is in use
#
#ip_range_blacklist: #ip_range_blacklist:
%(ip_range_blacklist)s %(ip_range_blacklist)s