"global" ACLs config option, block room directory requests to forbidden servers

Signed-off-by: strawberry <strawberry@puppygock.gay>
2025-07-28 18:58:30 +00:00 · 2024-04-15 22:02:08 -04:00 · 2024-04-15 22:02:08 -04:00 · 97c63604fd
commit 97c63604fd
parent 47c43769d7
6 changed files with 284 additions and 2 deletions
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@ -908,6 +908,37 @@ pub async fn create_join_event_template_route(
 		.event_handler
 		.acl_check(sender_servername, &body.room_id)?;

+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(sender_servername)
+	{
+		warn!(
+			"Server {sender_servername} for remote user {} tried joining room ID {} which has a server name that is \
+			 globally forbidden. Rejecting.",
+			&body.user_id, &body.room_id,
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let mutex_state = Arc::clone(
 		services()
 			.globals
@ -1201,6 +1232,42 @@ pub async fn create_join_event_v1_route(
 		.as_ref()
 		.expect("server is authenticated");

+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(sender_servername)
+	{
+		warn!(
+			"Server {sender_servername} tried joining room ID {} who has a server name that is globally forbidden. \
+			 Rejecting.",
+			&body.room_id,
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			warn!(
+				"Server {sender_servername} tried joining room ID {} which has a server name that is globally \
+				 forbidden. Rejecting.",
+				&body.room_id,
+			);
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let room_state = create_join_event(sender_servername, &body.room_id, &body.pdu).await?;

 	Ok(create_join_event::v1::Response {
@ -1219,6 +1286,37 @@ pub async fn create_join_event_v2_route(
 		.as_ref()
 		.expect("server is authenticated");

+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(sender_servername)
+	{
+		warn!(
+			"Server {sender_servername} tried joining room ID {} who has a server name that is globally forbidden. \
+			 Rejecting.",
+			&body.room_id,
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
 	let create_join_event::v1::RoomState {
 		auth_chain,
 		state,
@ -1448,6 +1546,40 @@ pub async fn create_invite_route(body: Ruma<create_invite::v2::Request>) -> Resu
 		));
 	}

+	if let Some(server) = body.room_id.server_name() {
+		if services()
+			.globals
+			.config
+			.forbidden_remote_server_names
+			.contains(&server.to_owned())
+		{
+			warn!(
+				"Received federated/remote invite from banned server {sender_servername} for room ID {}. Rejecting.",
+				body.room_id
+			);
+			return Err(Error::BadRequest(
+				ErrorKind::forbidden(),
+				"Server is banned on this homeserver.",
+			));
+		}
+	}
+
+	if services()
+		.globals
+		.config
+		.forbidden_remote_server_names
+		.contains(&sender_servername.to_owned())
+	{
+		warn!(
+			"Received federated/remote invite from banned server {sender_servername} for room ID {}. Rejecting.",
+			body.room_id
+		);
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"Server is banned on this homeserver.",
+		));
+	}
+
 	if let Some(via) = &body.via {
 		if via.is_empty() {
 			return Err(Error::BadRequest(ErrorKind::InvalidParam, "via field must not be empty."));