Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Configurable maximum number of events requested by /sync and /messages #2221

Merged

Conversation

psaavedra
Copy link
Contributor

@psaavedra psaavedra commented May 13, 2017

Fixes: #2220

Some test done during this Saturday confirmed me a new attact vector for Matrix using the /sync (API). The vulnerability is on Matrix don't set an upper limit for the max number of events to request for a requested room, this allow the attacker generates huge SQL queries in the server which can degradate the service and lead a DDoS.

Set the limit on the returned events in the timeline in the get and sync operations. The default value is -1, means no upper limit.

For example, using filter_timeline_limit: 5000:

POST /_matrix/client/r0/user/user:id/filter
{
room: {
    timeline: {
      limit: 1000000000000000000
    }
}
}
GET /_matrix/client/r0/user/user:id/filter/filter:id

{
room: {
    timeline: {
      limit: 5000
    }
}
}

The server cuts down the room.timeline.limit.

Signed-off-by: Pablo Saavedra (psaavedra@igalia.com)

matrix-org#2220)

Set the limit on the returned events in the timeline in the get and sync
operations. The default value is -1, means no upper limit.

For example, using `filter_timeline_limit: 5000`:

POST /_matrix/client/r0/user/user:id/filter
{
room: {
    timeline: {
      limit: 1000000000000000000
    }
}
}

GET /_matrix/client/r0/user/user:id/filter/filter:id

{
room: {
    timeline: {
      limit: 5000
    }
}
}

The server cuts down the room.timeline.limit.
@matrixbot
Copy link
Member

Can one of the admins verify this patch?

2 similar comments
@matrixbot
Copy link
Member

Can one of the admins verify this patch?

@matrixbot
Copy link
Member

Can one of the admins verify this patch?

@erikjohnston
Copy link
Member

@matrixbot ok to test

@psaavedra
Copy link
Contributor Author

Fixing errors. ...

* Added HS as property in SyncRestServlet
* Fixed set_timeline_upper_limit function implementat¡ion
return # no upper limits
if 'room' in filter_json \
and 'timeline' in filter_json['room'] \
and 'limit' in filter_json['room']['timeline']:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style nit: We prefer to never use \ style new line continuations and instead use brackets.

e.g. something like:

if (
    'room' in filter_json
    and 'timeline' in filter_json['room']
    and 'limit' in filter_json['room']['timeline']
):
    ...

(This could also be written as:

timeline = filter_json.get('room', {}).get('timeline', {})
if 'limit' in timeline:
    ...

but I'm not sure if that's actually better in this case)

@@ -85,6 +86,9 @@ def on_POST(self, request, user_id):
raise AuthError(403, "Can only create filters for local users")

content = parse_json_object_from_request(request)
set_timeline_upper_limit(content,
self.hs.config.filter_timeline_limit)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style nit: For multi line stuff we prefer the following style:

set_timeline_upper_limit(
    content,
    self.hs.config.filter_timeline_limit,
)

@erikjohnston
Copy link
Member

Other than some style nits this looks good! If you could quickly fix those up then I'm happy to merge this

(Note to self: see if we can get pyflakes to complain about those things)

@psaavedra
Copy link
Contributor Author

psaavedra commented May 15, 2017 via email

@erikjohnston
Copy link
Member

Thanks for this! Could you just quickly sign off as per CONTRIBUTING.rst please? Just as a comment/email here is fine. (Sorry for not spotting this before)

@psaavedra
Copy link
Contributor Author

Signed-off-by: Pablo Saavedra psaavedra@igalia.com

@psaavedra
Copy link
Contributor Author

psaavedra commented May 15, 2017 via email

@erikjohnston
Copy link
Member

Thanks!

@erikjohnston erikjohnston merged commit 2c9475b into matrix-org:develop May 15, 2017
@erikjohnston erikjohnston added the z-feature (Deprecated Label) label May 17, 2017
psaavedra added a commit to psaavedra/synapse that referenced this pull request May 19, 2017
Changes in synapse v0.21.0 (2017-05-18)
=======================================

No changes since v0.21.0-rc3

Changes in synapse v0.21.0-rc3 (2017-05-17)
===========================================

Features:

* Add per user rate-limiting overrides (PR matrix-org#2208)
* Add config option to limit maximum number of events requested by ``/sync``
  and ``/messages`` (PR matrix-org#2221) Thanks to @psaavedra!

Changes:

* Various small performance fixes (PR matrix-org#2201, matrix-org#2202, matrix-org#2224, matrix-org#2226, matrix-org#2227, matrix-org#2228,
  matrix-org#2229)
* Update username availability checker API (PR matrix-org#2209, matrix-org#2213)
* When purging, don't de-delta state groups we're about to delete (PR matrix-org#2214)
* Documentation to check synapse version (PR matrix-org#2215) Thanks to @hamber-dick!
* Add an index to event_search to speed up purge history API (PR matrix-org#2218)

Bug fixes:

* Fix API to allow clients to upload one-time-keys with new sigs (PR matrix-org#2206)

Changes in synapse v0.21.0-rc2 (2017-05-08)
===========================================

Changes:

* Always mark remotes as up if we receive a signed request from them (PR matrix-org#2190)

Bug fixes:

* Fix bug where users got pushed for rooms they had muted (PR matrix-org#2200)

Changes in synapse v0.21.0-rc1 (2017-05-08)
===========================================

Features:

* Add username availability checker API (PR matrix-org#2183)
* Add read marker API (PR matrix-org#2120)

Changes:

* Enable guest access for the 3pl/3pid APIs (PR matrix-org#1986)
* Add setting to support TURN for guests (PR matrix-org#2011)
* Various performance improvements (PR matrix-org#2075, matrix-org#2076, matrix-org#2080, matrix-org#2083, matrix-org#2108,
  matrix-org#2158, matrix-org#2176, matrix-org#2185)
* Make synctl a bit more user friendly (PR matrix-org#2078, matrix-org#2127) Thanks @APwhitehat!
* Replace HTTP replication with TCP replication (PR matrix-org#2082, matrix-org#2097, matrix-org#2098,
  matrix-org#2099, matrix-org#2103, matrix-org#2014, matrix-org#2016, matrix-org#2115, matrix-org#2116, matrix-org#2117)
* Support authenticated SMTP (PR matrix-org#2102) Thanks @DanielDent!
* Add a counter metric for successfully-sent transactions (PR matrix-org#2121)
* Propagate errors sensibly from proxied IS requests (PR matrix-org#2147)
* Add more granular event send metrics (PR matrix-org#2178)

Bug fixes:

* Fix nuke-room script to work with current schema (PR matrix-org#1927) Thanks
  @zuckschwerdt!
* Fix db port script to not assume postgres tables are in the public schema
  (PR matrix-org#2024) Thanks @jerrykan!
* Fix getting latest device IP for user with no devices (PR matrix-org#2118)
* Fix rejection of invites to unreachable servers (PR matrix-org#2145)
* Fix code for reporting old verify keys in synapse (PR matrix-org#2156)
* Fix invite state to always include all events (PR matrix-org#2163)
* Fix bug where synapse would always fetch state for any missing event (PR matrix-org#2170)
* Fix a leak with timed out HTTP connections (PR matrix-org#2180)
* Fix bug where we didn't time out HTTP requests to ASes  (PR matrix-org#2192)

Docs:

* Clarify doc for SQLite to PostgreSQL port (PR matrix-org#1961) Thanks @benhylau!
* Fix typo in synctl help (PR matrix-org#2107) Thanks @HarHarLinks!
* ``web_client_location`` documentation fix (PR matrix-org#2131) Thanks @matthewjwolff!
* Update README.rst with FreeBSD changes (PR matrix-org#2132) Thanks @feld!
* Clarify setting up metrics (PR matrix-org#2149) Thanks @encks!
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
z-feature (Deprecated Label)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants