This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Configurable maximum number of events requested by /sync and /messages #2221
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
matrix-org#2220) Set the limit on the returned events in the timeline in the get and sync operations. The default value is -1, means no upper limit. For example, using `filter_timeline_limit: 5000`: POST /_matrix/client/r0/user/user:id/filter { room: { timeline: { limit: 1000000000000000000 } } } GET /_matrix/client/r0/user/user:id/filter/filter:id { room: { timeline: { limit: 5000 } } } The server cuts down the room.timeline.limit.
|
Can one of the admins verify this patch? |
2 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
@matrixbot ok to test |
|
Fixing errors. ... |
* Added HS as property in SyncRestServlet * Fixed set_timeline_upper_limit function implementat¡ion
| return # no upper limits | ||
| if 'room' in filter_json \ | ||
| and 'timeline' in filter_json['room'] \ | ||
| and 'limit' in filter_json['room']['timeline']: |
There was a problem hiding this comment.
Style nit: We prefer to never use \ style new line continuations and instead use brackets.
e.g. something like:
if (
'room' in filter_json
and 'timeline' in filter_json['room']
and 'limit' in filter_json['room']['timeline']
):
...(This could also be written as:
timeline = filter_json.get('room', {}).get('timeline', {})
if 'limit' in timeline:
...but I'm not sure if that's actually better in this case)
| @@ -85,6 +86,9 @@ def on_POST(self, request, user_id): | |||
| raise AuthError(403, "Can only create filters for local users") | |||
|
|
|||
| content = parse_json_object_from_request(request) | |||
| set_timeline_upper_limit(content, | |||
| self.hs.config.filter_timeline_limit) | |||
There was a problem hiding this comment.
Style nit: For multi line stuff we prefer the following style:
set_timeline_upper_limit(
content,
self.hs.config.filter_timeline_limit,
)
|
Other than some style nits this looks good! If you could quickly fix those up then I'm happy to merge this (Note to self: see if we can get pyflakes to complain about those things) |
|
Updated according with the style suggestions.
…On 15 May 2017 3:57 p.m., "Erik Johnston" ***@***.***> wrote:
Other than some style nits this looks good! If you could quickly fix those
up then I'm happy to merge this
(Note to self: see if we can get pyflakes to complain about those things)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2221 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAXABl6ncFmnevPSW26wjyaJ1dELXh4kks5r6Fm6gaJpZM4NaHfr>
.
|
|
Thanks for this! Could you just quickly sign off as per CONTRIBUTING.rst please? Just as a comment/email here is fine. (Sorry for not spotting this before) |
|
Signed-off-by: Pablo Saavedra psaavedra@igalia.com |
|
My bad, I should include it in the first comment.
…On 15 May 2017 4:56 p.m., "Erik Johnston" ***@***.***> wrote:
Thanks for this! Could you just quickly sign off as per CONTRIBUTING.rst
<https://github.com/matrix-org/synapse/blob/master/CONTRIBUTING.rst#sign-off>
please? Just as a comment/email here is fine. (Sorry for not spotting this
before)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2221 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAXABs6g9o28m8eBsf_GIBX1xWmuH5yTks5r6GelgaJpZM4NaHfr>
.
|
|
Thanks! |
psaavedra
added a commit
to psaavedra/synapse
that referenced
this pull request
May 19, 2017
Changes in synapse v0.21.0 (2017-05-18) ======================================= No changes since v0.21.0-rc3 Changes in synapse v0.21.0-rc3 (2017-05-17) =========================================== Features: * Add per user rate-limiting overrides (PR matrix-org#2208) * Add config option to limit maximum number of events requested by ``/sync`` and ``/messages`` (PR matrix-org#2221) Thanks to @psaavedra! Changes: * Various small performance fixes (PR matrix-org#2201, matrix-org#2202, matrix-org#2224, matrix-org#2226, matrix-org#2227, matrix-org#2228, matrix-org#2229) * Update username availability checker API (PR matrix-org#2209, matrix-org#2213) * When purging, don't de-delta state groups we're about to delete (PR matrix-org#2214) * Documentation to check synapse version (PR matrix-org#2215) Thanks to @hamber-dick! * Add an index to event_search to speed up purge history API (PR matrix-org#2218) Bug fixes: * Fix API to allow clients to upload one-time-keys with new sigs (PR matrix-org#2206) Changes in synapse v0.21.0-rc2 (2017-05-08) =========================================== Changes: * Always mark remotes as up if we receive a signed request from them (PR matrix-org#2190) Bug fixes: * Fix bug where users got pushed for rooms they had muted (PR matrix-org#2200) Changes in synapse v0.21.0-rc1 (2017-05-08) =========================================== Features: * Add username availability checker API (PR matrix-org#2183) * Add read marker API (PR matrix-org#2120) Changes: * Enable guest access for the 3pl/3pid APIs (PR matrix-org#1986) * Add setting to support TURN for guests (PR matrix-org#2011) * Various performance improvements (PR matrix-org#2075, matrix-org#2076, matrix-org#2080, matrix-org#2083, matrix-org#2108, matrix-org#2158, matrix-org#2176, matrix-org#2185) * Make synctl a bit more user friendly (PR matrix-org#2078, matrix-org#2127) Thanks @APwhitehat! * Replace HTTP replication with TCP replication (PR matrix-org#2082, matrix-org#2097, matrix-org#2098, matrix-org#2099, matrix-org#2103, matrix-org#2014, matrix-org#2016, matrix-org#2115, matrix-org#2116, matrix-org#2117) * Support authenticated SMTP (PR matrix-org#2102) Thanks @DanielDent! * Add a counter metric for successfully-sent transactions (PR matrix-org#2121) * Propagate errors sensibly from proxied IS requests (PR matrix-org#2147) * Add more granular event send metrics (PR matrix-org#2178) Bug fixes: * Fix nuke-room script to work with current schema (PR matrix-org#1927) Thanks @zuckschwerdt! * Fix db port script to not assume postgres tables are in the public schema (PR matrix-org#2024) Thanks @jerrykan! * Fix getting latest device IP for user with no devices (PR matrix-org#2118) * Fix rejection of invites to unreachable servers (PR matrix-org#2145) * Fix code for reporting old verify keys in synapse (PR matrix-org#2156) * Fix invite state to always include all events (PR matrix-org#2163) * Fix bug where synapse would always fetch state for any missing event (PR matrix-org#2170) * Fix a leak with timed out HTTP connections (PR matrix-org#2180) * Fix bug where we didn't time out HTTP requests to ASes (PR matrix-org#2192) Docs: * Clarify doc for SQLite to PostgreSQL port (PR matrix-org#1961) Thanks @benhylau! * Fix typo in synctl help (PR matrix-org#2107) Thanks @HarHarLinks! * ``web_client_location`` documentation fix (PR matrix-org#2131) Thanks @matthewjwolff! * Update README.rst with FreeBSD changes (PR matrix-org#2132) Thanks @feld! * Clarify setting up metrics (PR matrix-org#2149) Thanks @encks!
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #2220
Some test done during this Saturday confirmed me a new attact vector for Matrix using the
/sync(API). The vulnerability is on Matrix don't set an upper limit for the max number of events to request for a requested room, this allow the attacker generates huge SQL queries in the server which can degradate the service and lead a DDoS.Set the limit on the returned events in the timeline in the get and sync operations. The default value is -1, means no upper limit.
For example, using
filter_timeline_limit: 5000:The server cuts down the room.timeline.limit.
Signed-off-by: Pablo Saavedra (psaavedra@igalia.com)