Matthias/conduit
1
0
Fork 0
Code Issues 179 Pull requests 44 Projects Releases 5 Packages Wiki Activity

feat: forbid certain usernames & room aliases #1007

Open
Kladky wants to merge 5 commits from feature/forbidden-usernames-rooms into next
pull from: feature/forbidden-usernames-rooms
merge into: Matthias:next
Conversation 4 Commits 5 Files changed 8 +140 -1
8 changed files with 140 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
Cargo.lock generated
View file

@ -387,6 +387,7 @@ dependencies = [
"http", "http",
"hyper", "hyper",
"image", "image",
"itertools 0.12.0",
"jsonwebtoken", "jsonwebtoken",
"lazy_static", "lazy_static",
"lru-cache", "lru-cache",
@ -408,6 +409,7 @@ dependencies = [
"serde", "serde",
"serde_html_form", "serde_html_form",
"serde_json", "serde_json",
"serde_regex",
"serde_yaml", "serde_yaml",
"sha-1", "sha-1",
"thiserror", "thiserror",
@ -1156,6 +1158,15 @@ dependencies = [
"either", "either",
] ]
[[package]]
name = "itertools"
version = "0.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "25db6b064527c5d482d0423354fcd07a89a2dfe07b67892e62411946db7f07b0"
dependencies = [
"either",
]
[[package]] [[package]]
name = "itoa" name = "itoa"
version = "1.0.10" version = "1.0.10"
@ -2194,7 +2205,7 @@ name = "ruma-state-res"
version = "0.9.1" version = "0.9.1"
source = "git+https://github.com/ruma/ruma?rev=b4853aa8fa5e3a24e3689fc88044de9915f6ab67#b4853aa8fa5e3a24e3689fc88044de9915f6ab67" source = "git+https://github.com/ruma/ruma?rev=b4853aa8fa5e3a24e3689fc88044de9915f6ab67#b4853aa8fa5e3a24e3689fc88044de9915f6ab67"
dependencies = [ dependencies = [
"itertools", "itertools 0.11.0",
"js_int", "js_int",
"ruma-common", "ruma-common",
"ruma-events", "ruma-events",
@ -2420,6 +2431,16 @@ dependencies = [
"serde", "serde",
] ]
[[package]]
name = "serde_regex"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a8136f1a4ea815d7eac4101cfd0b16dc0cb5e1fe1b8609dfd728058656b7badf"
dependencies = [
"regex",
"serde",
]
[[package]] [[package]]
name = "serde_spanned" name = "serde_spanned"
version = "0.6.5" version = "0.6.5"

3
Cargo.toml
View file

@ -78,6 +78,9 @@ ring = "0.17.7"
trust-dns-resolver = "0.22.0" trust-dns-resolver = "0.22.0"
# Used to find matching events for appservices # Used to find matching events for appservices
regex = "1.8.1" regex = "1.8.1"
# Used to load forbidden room/user regex from config
serde_regex = "1.1.0"
itertools = "0.12.0"
# jwt jsonwebtokens # jwt jsonwebtokens
jsonwebtoken = "9.2.0" jsonwebtoken = "9.2.0"
# Performance measurements # Performance measurements

21
src/api/client_server/account.rs
View file

@ -54,6 +54,17 @@ pub async fn get_register_available_route(
)); ));
} }
if services()
.globals
.forbidden_usernames()
.is_match(user_id.localpart())
{
return Err(Error::BadRequest(
ErrorKind::Unknown,
"Username is forbidden.",
));
}
// TODO add check for appservice namespaces // TODO add check for appservice namespaces
// If no if check is true we have an username that's available to be used. // If no if check is true we have an username that's available to be used.
@ -107,6 +118,16 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
"Desired user ID is already taken.", "Desired user ID is already taken.",
)); ));
} }
if services()
.globals
.forbidden_usernames()
.is_match(proposed_user_id.localpart())
{
return Err(Error::BadRequest(
ErrorKind::Unknown,
"Username is forbidden.",
));
}
proposed_user_id proposed_user_id
} }
_ => loop { _ => loop {

11
src/api/client_server/alias.rs
View file

@ -26,6 +26,17 @@ pub async fn create_alias_route(
)); ));
} }
if services()
.globals
.forbidden_room_names()
.is_match(body.room_alias.alias())
{
return Err(Error::BadRequest(
ErrorKind::Unknown,
"Room alias is forbidden.",
));
}
if services() if services()
.rooms .rooms
.alias .alias

10
src/api/client_server/room.rs
View file

@ -81,6 +81,16 @@ pub async fn create_room_route(
body.room_alias_name body.room_alias_name
.as_ref() .as_ref()
.map_or(Ok(None), |localpart| { .map_or(Ok(None), |localpart| {
if services()
.globals
.forbidden_room_names()
.is_match(localpart)
{
return Err(Error::BadRequest(
ErrorKind::Unknown,
"Room alias is forbidden.",
));
}
// TODO: Check for invalid characters and maximum length // TODO: Check for invalid characters and maximum length
let alias = RoomAliasId::parse(format!( let alias = RoomAliasId::parse(format!(
"#{}:{}", "#{}:{}",

17
src/config/mod.rs
View file

@ -1,3 +1,6 @@
use itertools::Itertools;
use regex::RegexSet;
use std::{ use std::{
collections::BTreeMap, collections::BTreeMap,
fmt, fmt,
@ -84,6 +87,14 @@ pub struct Config {
#[serde(flatten)] #[serde(flatten)]
pub catchall: BTreeMap<String, IgnoredAny>, pub catchall: BTreeMap<String, IgnoredAny>,
#[serde(default = "RegexSet::empty")]
#[serde(with = "serde_regex")]
pub forbidden_room_names: RegexSet,
#[serde(default = "RegexSet::empty")]
#[serde(with = "serde_regex")]
pub forbidden_usernames: RegexSet,
} }
#[derive(Clone, Debug, Deserialize)] #[derive(Clone, Debug, Deserialize)]
@ -195,6 +206,12 @@ impl fmt::Display for Config {
} }
&lst.join(", ") &lst.join(", ")
}), }),
("Forbidden usernames", {
&self.forbidden_usernames.patterns().iter().join(", ")
}),
("Forbidden room names", {
&self.forbidden_room_names.patterns().iter().join(", ")
}),
]; ];
let mut msg: String = "Active config values:\n\n".to_owned(); let mut msg: String = "Active config values:\n\n".to_owned();

47
src/database/mod.rs
View file

@ -7,7 +7,9 @@ use crate::{
}; };
use abstraction::{KeyValueDatabaseEngine, KvTree}; use abstraction::{KeyValueDatabaseEngine, KvTree};
use directories::ProjectDirs; use directories::ProjectDirs;
use itertools::Itertools;
use lru_cache::LruCache; use lru_cache::LruCache;
use ruma::{ use ruma::{
events::{ events::{
push_rules::{PushRulesEvent, PushRulesEventContent}, push_rules::{PushRulesEvent, PushRulesEventContent},
@ -947,6 +949,51 @@ impl KeyValueDatabase {
latest_database_version latest_database_version
); );
{
let patterns = &services().globals.config.forbidden_usernames;
if !patterns.is_empty() {
for user in services().users.iter() {
let user_id = user?;
let matches = patterns.matches(user_id.localpart());
if matches.matched_any() {
warn!(
"User {} matches the following forbidden username patterns: {}",
user_id.to_string(),
matches
.into_iter()
.map(|x| &patterns.patterns()[x])
.join(", ")
)
}
}
}
}
{
let patterns = &services().globals.config.forbidden_room_names;
if !patterns.is_empty() {
for address in services().rooms.metadata.iter_ids() {
let room_id = address?;
let room_aliases = services().rooms.alias.local_aliases_for_room(&room_id);
for room_alias_result in room_aliases {
let room_alias = room_alias_result?;
let matches = patterns.matches(room_alias.alias());
if matches.matched_any() {
warn!(
"Room with alias {} ({}) matches the following forbidden room name patterns: {}",
room_alias,
&room_id,
matches
.into_iter()
.map(|x| &patterns.patterns()[x])
.join(", ")
)
}
}
}
}
}
info!( info!(
"Loaded {} database with version {}", "Loaded {} database with version {}",
services().globals.config.database_backend, services().globals.config.database_backend,

9
src/service/globals/mod.rs
View file

@ -1,5 +1,6 @@
mod data; mod data;
pub use data::Data; pub use data::Data;
use regex::RegexSet;
use ruma::{ use ruma::{
serde::Base64, OwnedDeviceId, OwnedEventId, OwnedRoomId, OwnedServerName, serde::Base64, OwnedDeviceId, OwnedEventId, OwnedRoomId, OwnedServerName,
OwnedServerSigningKeyId, OwnedUserId, OwnedServerSigningKeyId, OwnedUserId,
@ -352,6 +353,14 @@ impl Service {
&self.config.emergency_password &self.config.emergency_password
} }
pub fn forbidden_room_names(&self) -> &RegexSet {
&self.config.forbidden_room_names
}
pub fn forbidden_usernames(&self) -> &RegexSet {
&self.config.forbidden_usernames
}
pub fn supported_room_versions(&self) -> Vec<RoomVersionId> { pub fn supported_room_versions(&self) -> Vec<RoomVersionId> {
let mut room_versions: Vec<RoomVersionId> = vec![]; let mut room_versions: Vec<RoomVersionId> = vec![];
room_versions.extend(self.stable_room_versions.clone()); room_versions.extend(self.stable_room_versions.clone());