Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add a config option for validating 'next_link' parameters against a domain whitelist #8275

Merged
merged 12 commits into from
Sep 8, 2020
Next Next commit
Add next_link domain whitelist config option
anoadragon453 committed Sep 7, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 3bb8b74c20ec1e1756ddacbd057883ca205a7120
18 changes: 18 additions & 0 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
@@ -432,6 +432,24 @@ retention:
#
#request_token_inhibit_3pid_errors: true

# A list of domains that the domain portion of 'next_link' parameters
# must match.
#
# This parameter is optionally provided by clients while requesting
# validation of an email or phone number, and maps to a link that
# users will be automatically redirected to after validation
# succeeds. Clients can make use this parameter to aid the validation
# process.
#
# The whitelist is applied whether the homeserver or an
# account_threepid_delegate is handling validation.
#
# The default value is no whitelist functionality; all domains are
# allowed. Setting this value to an empty list will instead disallow
# all domains.
#
#next_link_domain_whitelist: ["matrix.org"]


## TLS ##

26 changes: 26 additions & 0 deletions synapse/config/server.py
Original file line number Diff line number Diff line change
@@ -542,6 +542,14 @@ class LimitRemoteRoomsConfig:
users_new_default_push_rules
) # type: set

# Whitelist of domain names that given next_link parameters must have
next_link_domain_whitelist = config.get("next_link_domain_whitelist")
if not isinstance(next_link_domain_whitelist, list):
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
raise ConfigError("'next_link_domain_whitelist' must be a list")

# Turn the list into a set to improve lookup speed.
self.next_link_domain_whitelist = set(next_link_domain_whitelist) # type: set

def has_tls_listener(self) -> bool:
return any(listener.tls for listener in self.listeners)

@@ -1014,6 +1022,24 @@ def generate_config_section(
# act as if no error happened and return a fake session ID ('sid') to clients.
#
#request_token_inhibit_3pid_errors: true

# A list of domains that the domain portion of 'next_link' parameters
# must match.
#
# This parameter is optionally provided by clients while requesting
# validation of an email or phone number, and maps to a link that
# users will be automatically redirected to after validation
# succeeds. Clients can make use this parameter to aid the validation
# process.
#
# The whitelist is applied whether the homeserver or an
# account_threepid_delegate is handling validation.
babolivier marked this conversation as resolved.
Show resolved Hide resolved
#
# The default value is no whitelist functionality; all domains are
# allowed. Setting this value to an empty list will instead disallow
# all domains.
#
#next_link_domain_whitelist: ["matrix.org"]
"""
% locals()
)