summary refs log tree commit diff
path: root/synapse/rest/client/v2_alpha/account.py
diff options
context:
space:
mode:
authorAndrew Morgan <andrew@amorgan.xyz>2020-10-20 19:12:51 +0100
committerAndrew Morgan <andrew@amorgan.xyz>2020-10-20 19:12:51 +0100
commit82c379c20ba0fc562f6979d148dfa916880d17b0 (patch)
tree507cd3d9cac4d438292db132ac9c8a19a0c96716 /synapse/rest/client/v2_alpha/account.py
parentMerge commit 'd4daff9b5' into anoa/dinsic_release_1_21_x (diff)
parentAdd types to async_helpers (#8260) (diff)
downloadsynapse-82c379c20ba0fc562f6979d148dfa916880d17b0.tar.xz
Merge commit 'e45b83411' into anoa/dinsic_release_1_21_x
* commit 'e45b83411':
  Add types to async_helpers (#8260)
  Fix mypy error on develop (#8282)
  Include method in thumbnail media name (#7124)
  Add types to StreamToken and RoomStreamToken (#8279)
  Add a config option for validating 'next_link' parameters against a domain whitelist (#8275)
  Clean up types for PaginationConfig (#8250)
  Use the right constructor for log records (#8278)
  Fix `MultiWriterIdGenerator.current_position`. (#8257)
Diffstat (limited to 'synapse/rest/client/v2_alpha/account.py')
-rw-r--r--synapse/rest/client/v2_alpha/account.py41
1 files changed, 39 insertions, 2 deletions
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py

index 570fa0a2eb..72eaaad8b6 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -24,8 +24,6 @@ from urllib.parse import urlparse
 if TYPE_CHECKING:
     from synapse.app.homeserver import HomeServer
 
-from twisted.internet import defer
-
 from synapse.api.constants import LoginType
 from synapse.api.errors import (
     Codes,
@@ -1103,6 +1101,45 @@ def assert_valid_next_link(hs: "HomeServer", next_link: str):
         )
 
 
+def assert_valid_next_link(hs: "HomeServer", next_link: str):
+    """
+    Raises a SynapseError if a given next_link value is invalid
+
+    next_link is valid if the scheme is http(s) and the next_link.domain_whitelist config
+    option is either empty or contains a domain that matches the one in the given next_link
+
+    Args:
+        hs: The homeserver object
+        next_link: The next_link value given by the client
+
+    Raises:
+        SynapseError: If the next_link is invalid
+    """
+    valid = True
+
+    # Parse the contents of the URL
+    next_link_parsed = urlparse(next_link)
+
+    # Scheme must not point to the local drive
+    if next_link_parsed.scheme == "file":
+        valid = False
+
+    # If the domain whitelist is set, the domain must be in it
+    if (
+        valid
+        and hs.config.next_link_domain_whitelist is not None
+        and next_link_parsed.hostname not in hs.config.next_link_domain_whitelist
+    ):
+        valid = False
+
+    if not valid:
+        raise SynapseError(
+            400,
+            "'next_link' domain not included in whitelist, or not http(s)",
+            errcode=Codes.INVALID_PARAM,
+        )
+
+
 class WhoamiRestServlet(RestServlet):
     PATTERNS = client_patterns("/account/whoami$")
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-07-24 00:36:09 +0000