Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow workers to serve new v3 APIs #1404

Merged
merged 1 commit into from
Nov 19, 2021
Merged

Allow workers to serve new v3 APIs #1404

merged 1 commit into from
Nov 19, 2021

Conversation

aaronraimist
Copy link
Contributor

Support for these APIs will probably be in Synapse 1.48.0 but this can get merged at any time.

@spantaleev
Copy link
Owner

We'll probably lose the changes to roles/matrix-synapse/vars/workers.yml the next time we run roles/matrix-synapse/files/workers-doc-to-yaml.sh.

It doesn't seem like it hurts to merge this, however.

Does the develop branch of Synapse (and some :latest Docker image?) already handle any v3 endpoints? I'm not sure what the :latest Docker image actually is - latest stable or latest develop? Seems like there is a :develop Docker image, but it hasn't been updated in 2 years.

@aaronraimist
Copy link
Contributor Author

Ah I didn't know about workers-doc-to-yaml.sh.

Develop does serve v3 APIs as of matrix-org/synapse#11318

I believe the latest tag on docker is latest stable version.

spantaleev added a commit to devture/matrix-corporal that referenced this pull request Nov 19, 2021
@spantaleev
Improve middleware for rejecting unknown Client-Server API versions
5562258 
Related to:
- https://matrix.org/blog/2021/11/09/matrix-v-1-1-release
- matrix-org/synapse#11318
- spantaleev/matrix-docker-ansible-deploy#1404

Our `denyUnsupportedApiVersionsMiddleware` middleware was trying to
match `rXXX` versions and reject unsupported ones (anything besides
`r0`), but now that the prefix is changing (`vXXX`) we were not matching
the new one correctly and were letting `vXXX` requests go through.

This is not a security issue yet, as no stable version of a homeserver
supports v3-prefixed APIs yet, but an upcoming Synapse v1.48.0 is slated
to add support for those. An old matrix-corporal version (lacking this
patch) combined with Synapse v1.48.0+ will let such v3 requests go through,
effectively circuimventing matrix-corporal's protections.
spantaleev added a commit to devture/matrix-corporal that referenced this pull request Nov 19, 2021
@spantaleev
Add support for v3 Client-Server API
9ede33a 
Related to:

- https://matrix.org/blog/2021/11/09/matrix-v-1-1-release
- matrix-org/synapse#11318
- spantaleev/matrix-docker-ansible-deploy#1404

The upcoming Synapse v1.48.0 release is likely to expose all these `r0`
APIs that we've used till now as `v3` APIs. Both the `r0` and `v3`
prefixes lead to the same APIs on the homeserver.

matrix-corporal 2.1.5 already properly handles rejecting unknown
v-prefixed versions (`v3` included), which patched a potential future
security vulnerability (when Synapse v1.48.0 ultimately gets released).

This patch adds to it and lets `v3` requests go through and get handled
the same way `r0` requests are handled.
spantaleev added a commit that referenced this pull request Nov 19, 2021
@spantaleev
Upgrade matrix-corporal (2.1.4 -> 2.2.0)
2e73dac 
There was also a 2.1.5 security release made today.
2.2.0 contains the same security fix + more.

Both make handling of Client-Server API v3-prefixed requests better.

Related to #1404
@spantaleev spantaleev merged commit 3b27ce2 into spantaleev:master Nov 19, 2021
@spantaleev
Copy link
Owner

I see that you've also updated Synapse's docs/workers.md in (matrix-org/synapse#11371, etc.), so our auto-generated workers.yml should not lose too much. Still, it'd be nice to test it and fix it up when the time comes.

I'm merging this as-is. Thank you! 👍

@spantaleev spantaleev mentioned this pull request Dec 9, 2021
Merged
@aaronraimist aaronraimist deleted the v3 branch December 9, 2021 13:54
HarHarLinks pushed a commit to HarHarLinks/matrix-docker-ansible-deploy that referenced this pull request Feb 16, 2022
@spantaleev @HarHarLinks
Upgrade matrix-corporal (2.1.4 -> 2.2.0)
7702b2d 
There was also a 2.1.5 security release made today.
2.2.0 contains the same security fix + more.

Both make handling of Client-Server API v3-prefixed requests better.

Related to spantaleev#1404
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aaronraimist @spantaleev