| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470 |
- # -*- coding: utf-8 -*-
- # Copyright 2018 New Vector Ltd
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- import os
- import attr
- from netaddr import IPSet
- from twisted.internet._resolver import HostResolution
- from twisted.internet.address import IPv4Address, IPv6Address
- from twisted.internet.error import DNSLookupError
- from twisted.python.failure import Failure
- from twisted.test.proto_helpers import AccumulatingProtocol
- from twisted.web._newclient import ResponseDone
- from synapse.config.repository import MediaStorageProviderConfig
- from synapse.util.module_loader import load_module
- from tests import unittest
- from tests.server import FakeTransport
- @attr.s
- class FakeResponse(object):
- version = attr.ib()
- code = attr.ib()
- phrase = attr.ib()
- headers = attr.ib()
- body = attr.ib()
- absoluteURI = attr.ib()
- @property
- def request(self):
- @attr.s
- class FakeTransport(object):
- absoluteURI = self.absoluteURI
- return FakeTransport()
- def deliverBody(self, protocol):
- protocol.dataReceived(self.body)
- protocol.connectionLost(Failure(ResponseDone()))
- class URLPreviewTests(unittest.HomeserverTestCase):
- hijack_auth = True
- user_id = "@test:user"
- end_content = (
- b'<html><head>'
- b'<meta property="og:title" content="~matrix~" />'
- b'<meta property="og:description" content="hi" />'
- b'</head></html>'
- )
- def make_homeserver(self, reactor, clock):
- self.storage_path = self.mktemp()
- os.mkdir(self.storage_path)
- config = self.default_config()
- config.url_preview_enabled = True
- config.max_spider_size = 9999999
- config.url_preview_ip_range_blacklist = IPSet(
- (
- "192.168.1.1",
- "1.0.0.0/8",
- "3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
- "2001:800::/21",
- )
- )
- config.url_preview_ip_range_whitelist = IPSet(("1.1.1.1",))
- config.url_preview_url_blacklist = []
- config.media_store_path = self.storage_path
- provider_config = {
- "module": "synapse.rest.media.v1.storage_provider.FileStorageProviderBackend",
- "store_local": True,
- "store_synchronous": False,
- "store_remote": True,
- "config": {"directory": self.storage_path},
- }
- loaded = list(load_module(provider_config)) + [
- MediaStorageProviderConfig(False, False, False)
- ]
- config.media_storage_providers = [loaded]
- hs = self.setup_test_homeserver(config=config)
- return hs
- def prepare(self, reactor, clock, hs):
- self.media_repo = hs.get_media_repository_resource()
- self.preview_url = self.media_repo.children[b'preview_url']
- self.lookups = {}
- class Resolver(object):
- def resolveHostName(
- _self,
- resolutionReceiver,
- hostName,
- portNumber=0,
- addressTypes=None,
- transportSemantics='TCP',
- ):
- resolution = HostResolution(hostName)
- resolutionReceiver.resolutionBegan(resolution)
- if hostName not in self.lookups:
- raise DNSLookupError("OH NO")
- for i in self.lookups[hostName]:
- resolutionReceiver.addressResolved(i[0]('TCP', i[1], portNumber))
- resolutionReceiver.resolutionComplete()
- return resolutionReceiver
- self.reactor.nameResolver = Resolver()
- def test_cache_returns_correct_type(self):
- self.lookups["matrix.org"] = [(IPv4Address, "8.8.8.8")]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://matrix.org", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- client = self.reactor.tcpClients[0][2].buildProtocol(None)
- server = AccumulatingProtocol()
- server.makeConnection(FakeTransport(client, self.reactor))
- client.makeConnection(FakeTransport(server, self.reactor))
- client.dataReceived(
- b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\nContent-Type: text/html\r\n\r\n"
- % (len(self.end_content),)
- + self.end_content
- )
- self.pump()
- self.assertEqual(channel.code, 200)
- self.assertEqual(
- channel.json_body, {"og:title": "~matrix~", "og:description": "hi"}
- )
- # Check the cache returns the correct response
- request, channel = self.make_request(
- "GET", "url_preview?url=http://matrix.org", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- # Check the cache response has the same content
- self.assertEqual(channel.code, 200)
- self.assertEqual(
- channel.json_body, {"og:title": "~matrix~", "og:description": "hi"}
- )
- # Clear the in-memory cache
- self.assertIn("http://matrix.org", self.preview_url._cache)
- self.preview_url._cache.pop("http://matrix.org")
- self.assertNotIn("http://matrix.org", self.preview_url._cache)
- # Check the database cache returns the correct response
- request, channel = self.make_request(
- "GET", "url_preview?url=http://matrix.org", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- # Check the cache response has the same content
- self.assertEqual(channel.code, 200)
- self.assertEqual(
- channel.json_body, {"og:title": "~matrix~", "og:description": "hi"}
- )
- def test_non_ascii_preview_httpequiv(self):
- self.lookups["matrix.org"] = [(IPv4Address, "8.8.8.8")]
- end_content = (
- b'<html><head>'
- b'<meta http-equiv="Content-Type" content="text/html; charset=windows-1251"/>'
- b'<meta property="og:title" content="\xe4\xea\xe0" />'
- b'<meta property="og:description" content="hi" />'
- b'</head></html>'
- )
- request, channel = self.make_request(
- "GET", "url_preview?url=http://matrix.org", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- client = self.reactor.tcpClients[0][2].buildProtocol(None)
- server = AccumulatingProtocol()
- server.makeConnection(FakeTransport(client, self.reactor))
- client.makeConnection(FakeTransport(server, self.reactor))
- client.dataReceived(
- (
- b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\n"
- b"Content-Type: text/html; charset=\"utf8\"\r\n\r\n"
- )
- % (len(end_content),)
- + end_content
- )
- self.pump()
- self.assertEqual(channel.code, 200)
- self.assertEqual(channel.json_body["og:title"], u"\u0434\u043a\u0430")
- def test_non_ascii_preview_content_type(self):
- self.lookups["matrix.org"] = [(IPv4Address, "8.8.8.8")]
- end_content = (
- b'<html><head>'
- b'<meta property="og:title" content="\xe4\xea\xe0" />'
- b'<meta property="og:description" content="hi" />'
- b'</head></html>'
- )
- request, channel = self.make_request(
- "GET", "url_preview?url=http://matrix.org", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- client = self.reactor.tcpClients[0][2].buildProtocol(None)
- server = AccumulatingProtocol()
- server.makeConnection(FakeTransport(client, self.reactor))
- client.makeConnection(FakeTransport(server, self.reactor))
- client.dataReceived(
- (
- b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\n"
- b"Content-Type: text/html; charset=\"windows-1251\"\r\n\r\n"
- )
- % (len(end_content),)
- + end_content
- )
- self.pump()
- self.assertEqual(channel.code, 200)
- self.assertEqual(channel.json_body["og:title"], u"\u0434\u043a\u0430")
- def test_ipaddr(self):
- """
- IP addresses can be previewed directly.
- """
- self.lookups["example.com"] = [(IPv4Address, "8.8.8.8")]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- client = self.reactor.tcpClients[0][2].buildProtocol(None)
- server = AccumulatingProtocol()
- server.makeConnection(FakeTransport(client, self.reactor))
- client.makeConnection(FakeTransport(server, self.reactor))
- client.dataReceived(
- b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\nContent-Type: text/html\r\n\r\n"
- % (len(self.end_content),)
- + self.end_content
- )
- self.pump()
- self.assertEqual(channel.code, 200)
- self.assertEqual(
- channel.json_body, {"og:title": "~matrix~", "og:description": "hi"}
- )
- def test_blacklisted_ip_specific(self):
- """
- Blacklisted IP addresses, found via DNS, are not spidered.
- """
- self.lookups["example.com"] = [(IPv4Address, "192.168.1.1")]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- # No requests made.
- self.assertEqual(len(self.reactor.tcpClients), 0)
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
- def test_blacklisted_ip_range(self):
- """
- Blacklisted IP ranges, IPs found over DNS, are not spidered.
- """
- self.lookups["example.com"] = [(IPv4Address, "1.1.1.2")]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
- def test_blacklisted_ip_specific_direct(self):
- """
- Blacklisted IP addresses, accessed directly, are not spidered.
- """
- request, channel = self.make_request(
- "GET", "url_preview?url=http://192.168.1.1", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- # No requests made.
- self.assertEqual(len(self.reactor.tcpClients), 0)
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
- def test_blacklisted_ip_range_direct(self):
- """
- Blacklisted IP ranges, accessed directly, are not spidered.
- """
- request, channel = self.make_request(
- "GET", "url_preview?url=http://1.1.1.2", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
- def test_blacklisted_ip_range_whitelisted_ip(self):
- """
- Blacklisted but then subsequently whitelisted IP addresses can be
- spidered.
- """
- self.lookups["example.com"] = [(IPv4Address, "1.1.1.1")]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- client = self.reactor.tcpClients[0][2].buildProtocol(None)
- server = AccumulatingProtocol()
- server.makeConnection(FakeTransport(client, self.reactor))
- client.makeConnection(FakeTransport(server, self.reactor))
- client.dataReceived(
- b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\nContent-Type: text/html\r\n\r\n"
- % (len(self.end_content),)
- + self.end_content
- )
- self.pump()
- self.assertEqual(channel.code, 200)
- self.assertEqual(
- channel.json_body, {"og:title": "~matrix~", "og:description": "hi"}
- )
- def test_blacklisted_ip_with_external_ip(self):
- """
- If a hostname resolves a blacklisted IP, even if there's a
- non-blacklisted one, it will be rejected.
- """
- # Hardcode the URL resolving to the IP we want.
- self.lookups[u"example.com"] = [
- (IPv4Address, "1.1.1.2"),
- (IPv4Address, "8.8.8.8"),
- ]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
- def test_blacklisted_ipv6_specific(self):
- """
- Blacklisted IP addresses, found via DNS, are not spidered.
- """
- self.lookups["example.com"] = [
- (IPv6Address, "3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")
- ]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- # No requests made.
- self.assertEqual(len(self.reactor.tcpClients), 0)
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
- def test_blacklisted_ipv6_range(self):
- """
- Blacklisted IP ranges, IPs found over DNS, are not spidered.
- """
- self.lookups["example.com"] = [(IPv6Address, "2001:800::1")]
- request, channel = self.make_request(
- "GET", "url_preview?url=http://example.com", shorthand=False
- )
- request.render(self.preview_url)
- self.pump()
- self.assertEqual(channel.code, 403)
- self.assertEqual(
- channel.json_body,
- {
- 'errcode': 'M_UNKNOWN',
- 'error': 'IP address blocked by IP blacklist entry',
- },
- )
|
