Closed rwjack closed 9 months ago
Actually, the code somehow falls through all the way to the end:
This bypass fixes it for me, but the point is it should not fall through, because well-known delegation can be reached
@@ -198,7 +198,7 @@ async function discoverHomeserverUrl(serverName) {
* The target server must present a valid certificate for <hostname>.
*/
return {
- homeserverUrl: `https://${hostname}:8448`,
+ homeserverUrl: `https://${hostname}:443`,
serverName: hostname,
};
}
Basically I'd say that the matrixUtils.js:98
code should pass, but it doesn't for some reason
This is the final code edit that worked for me, I'll state again that this is not a solution, just the steps to fix my edgecase. It includes 2 commits from the following fork . I also had to proxy domain.tld/(_synapse|_matrix)/
to the synapse instance.
diff --git a/src/matrixUtils.js b/src/matrixUtils.js
index a652c40..bd5a2d0 100644
--- a/src/matrixUtils.js
+++ b/src/matrixUtils.js
@@ -55,7 +55,7 @@ async function discoverHomeserverUrl(serverName) {
let {hostname, port, defaultPort} = parseHostnameAndPort(serverName);
// Don't continue if we consider the hostname part to resolve to our blacklisted IP ranges
- if (utils.isBlacklisted(await utils.resolveDomain(hostname))) {
+ if (!process.env.UVS_DISABLE_IP_BLACKLIST && utils.isBlacklisted(await utils.resolveDomain(hostname))) {
throw Error('Hostname resolves to a blacklisted IP range.');
}
@@ -104,6 +104,7 @@ async function discoverHomeserverUrl(serverName) {
if (delegatedHostname) {
const parsed = parseHostnameAndPort(delegatedHostname);
+ // maybe we need this here as well? !process.env.UVS_DISABLE_IP_BLACKLIST &&
// Don't continue if we consider the hostname part to resolve to our blacklisted IP ranges
if (utils.isBlacklisted(await utils.resolveDomain(parsed.hostname))) {
throw Error('Delegated hostname resolves to a blacklisted IP range.');
@@ -197,7 +198,7 @@ async function discoverHomeserverUrl(serverName) {
* The target server must present a valid certificate for <hostname>.
*/
return {
- homeserverUrl: `https://${hostname}:8448`,
+ homeserverUrl: `https://${hostname}:443`,
serverName: hostname,
};
}
diff --git a/src/utils.js b/src/utils.js
index fa18820..f657e5a 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -92,7 +92,6 @@ function requestLogger(req) {
const ip4RangeBlacklist = [
'127.0.0.0/8',
- '10.0.0.0/8',
'172.16.0.0/12',
'192.168.0.0/16',
'100.64.0.0/10',
diff --git a/src/verify.js b/src/verify.js
index 7168735..aa574fe 100644
--- a/src/verify.js
+++ b/src/verify.js
@@ -85,7 +85,8 @@ async function verifyOpenIDToken(req) {
let response;
let serverName;
if (process.env.UVS_OPENID_VERIFY_SERVER_NAME) {
- if (req.body.matrix_server_name !== process.env.UVS_OPENID_VERIFY_SERVER_NAME) {
+ if (req.body.matrix_server_name !== process.env.UVS_OPENID_VERIFY_SERVER_NAME &&
+ req.body.matrix_server_name !== "matrix.cthd.icu") {
// Refuse to check token against any other servers
logger.log(
'warn',
@@ -120,6 +121,7 @@ async function verifyOpenIDToken(req) {
{
Host: homeserver.serverName,
},
+ process.env.UVS_DISABLE_IP_BLACKLIST === 'true',
);
} catch (error) {
utils.errorLogger(error, req);
Hi, the main problem occurs because in the function verifyOpenIDToken process.env.UVS_HOMESERVER_URL is ignored, url is made from matrtix_server_name, unlike the correct code in getRoomPowerLevels or verifyRoomMembership. matrix_server_name should not be used when UVS_HOMESERVER_URL is set. Adam.
Edge case somewhere in
matrixUtils.js:async function discoverHomeserverUrl(serverName)
My synapse server has delegation with the port 443, and the wellknown entry returns:
{ "m.server": "matrix.domain.tld:443" }
yet
matrixUtils.js:54
somehow returnsdomain.tld:8448
.the .env entry also being:
UVS_OPENID_VERIFY_SERVER_NAME=domain.tld