From f44b8a163c2a8ce0d941b7d1291e8e93ec8c9389 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Mon, 21 Jan 2019 21:03:18 +0100 Subject: [PATCH] add url spider configuration --- defaults/main.yml | 26 +++++++ templates/opt/matrix/config/homeserver.yml.j2 | 69 ++++--------------- 2 files changed, 38 insertions(+), 57 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9e0dfc5..588116d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -105,6 +105,32 @@ matrix_open_ports: -A INPUT -m state --state NEW -p tcp --dport {{ matrix_http_bind_port }} -j ACCEPT state: present +matrix_url_preview_enabled: False + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. You should specify any internal services in your +# network that you do not want synapse to try to connect to, otherwise +# anyone in any Matrix room could cause your synapse to issue arbitrary +# GET requests to your internal services, causing serious security issues. +# matrix_url_preview_blacklist: # defaults to not set +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '169.254.0.0/16' +# - '::1/128' +# - 'fe80::/64' +# - 'fc00::/7' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# matrix_url_preview_url_blacklist: +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' +# - netloc: '^([A-f0-9:]+:+)+[A-f0-9]+$' +matrix_url_preview_max_spider_size: 10M + matrix_tls_enabled: False matrix_tls_dhparam_path: "{{ matrix_base_dir }}/tls/dhparam.pem" matrix_tls_dhparam_size: 2048 diff --git a/templates/opt/matrix/config/homeserver.yml.j2 b/templates/opt/matrix/config/homeserver.yml.j2 index 02e75ee..e4cbffc 100644 --- a/templates/opt/matrix/config/homeserver.yml.j2 +++ b/templates/opt/matrix/config/homeserver.yml.j2 @@ -319,27 +319,13 @@ thumbnail_sizes: # Is the preview URL API enabled? If enabled, you *must* specify # an explicit url_preview_ip_range_blacklist of IPs that the spider is # denied from accessing. -url_preview_enabled: False - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# url_preview_ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '169.254.0.0/16' -# - '::1/128' -# - 'fe80::/64' -# - 'fc00::/7' -# +url_preview_enabled: {% 'True' if matrix_url_preview_enabled else 'False' %} + +{% if matrix_url_preview_ip_blacklist is defined %} +url_preview_ip_range_blacklist: +{{ matrix_url_preview_ip_blacklist | to_nice_yaml }} +{% endif %} + # List of IP address CIDR ranges that the URL preview spider is allowed # to access even if they are specified in url_preview_ip_range_blacklist. # This is useful for specifying exceptions to wide-ranging blacklisted @@ -349,44 +335,13 @@ url_preview_enabled: False # url_preview_ip_range_whitelist: # - '192.168.1.1' -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -# url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' +{% if matrix_url_preview_url_blacklist is defined %} +url_preview_url_blacklist: +{{ matrix_url_preview_url_blacklist | to_nice_yaml }} +{% endif %} # The largest allowed URL preview spidering size in bytes -max_spider_size: "10M" - - +max_spider_size: "{{ matrix_url_preview_max_spider_size }}" ## Captcha ##