Deny access to additional IP addresses by default.

Including IPv6 with embedded IPv4, IPv4-compatible IPv6, and 6to4
addresses.

Author: clokep

changelog.d/9240.misc

@@ -0,0 +1 @@
+Deny access to additional IP addresses by default.

docs/sample_config.yaml

@@ -174,6 +174,42 @@ pid_file: DATADIR/homeserver.pid
 #  - '198.51.100.0/24'
 #  - '203.0.113.0/24'
 #  - '224.0.0.0/4'
+#  - '::127.0.0.0/104'
+#  - '::10.0.0.0/104'
+#  - '::172.16.0.0/108'
+#  - '::192.168.0.0/112'
+#  - '::100.64.0.0/106'
+#  - '::192.0.0.0/120'
+#  - '::169.254.0.0/112'
+#  - '::198.18.0.0/111'
+#  - '::192.0.2.0/120'
+#  - '::198.51.100.0/120'
+#  - '::203.0.113.0/120'
+#  - '::224.0.0.0/100'
+#  - '::ffff:127.0.0.0/104'
+#  - '::ffff:10.0.0.0/104'
+#  - '::ffff:172.16.0.0/108'
+#  - '::ffff:192.168.0.0/112'
+#  - '::ffff:100.64.0.0/106'
+#  - '::ffff:192.0.0.0/120'
+#  - '::ffff:169.254.0.0/112'
+#  - '::ffff:198.18.0.0/111'
+#  - '::ffff:192.0.2.0/120'
+#  - '::ffff:198.51.100.0/120'
+#  - '::ffff:203.0.113.0/120'
+#  - '::ffff:224.0.0.0/100'
+#  - '2002:7f00:0000::/24'
+#  - '2002:0a00:0000::/24'
+#  - '2002:ac10:0000::/28'
+#  - '2002:c0a8:0000::/32'
+#  - '2002:6440:0000::/26'
+#  - '2002:c000:0000::/40'
+#  - '2002:a9fe:0000::/32'
+#  - '2002:c612:0000::/31'
+#  - '2002:c000:0200::/40'
+#  - '2002:c633:6400::/40'
+#  - '2002:cb00:7100::/40'
+#  - '2002:e000:0000::/20'
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'
@@ -985,6 +1021,42 @@ media_store_path: "DATADIR/media_store"
 #  - '198.51.100.0/24'
 #  - '203.0.113.0/24'
 #  - '224.0.0.0/4'
+#  - '::127.0.0.0/104'
+#  - '::10.0.0.0/104'
+#  - '::172.16.0.0/108'
+#  - '::192.168.0.0/112'
+#  - '::100.64.0.0/106'
+#  - '::192.0.0.0/120'
+#  - '::169.254.0.0/112'
+#  - '::198.18.0.0/111'
+#  - '::192.0.2.0/120'
+#  - '::198.51.100.0/120'
+#  - '::203.0.113.0/120'
+#  - '::224.0.0.0/100'
+#  - '::ffff:127.0.0.0/104'
+#  - '::ffff:10.0.0.0/104'
+#  - '::ffff:172.16.0.0/108'
+#  - '::ffff:192.168.0.0/112'
+#  - '::ffff:100.64.0.0/106'
+#  - '::ffff:192.0.0.0/120'
+#  - '::ffff:169.254.0.0/112'
+#  - '::ffff:198.18.0.0/111'
+#  - '::ffff:192.0.2.0/120'
+#  - '::ffff:198.51.100.0/120'
+#  - '::ffff:203.0.113.0/120'
+#  - '::ffff:224.0.0.0/100'
+#  - '2002:7f00:0000::/24'
+#  - '2002:0a00:0000::/24'
+#  - '2002:ac10:0000::/28'
+#  - '2002:c0a8:0000::/32'
+#  - '2002:6440:0000::/26'
+#  - '2002:c000:0000::/40'
+#  - '2002:a9fe:0000::/32'
+#  - '2002:c612:0000::/31'
+#  - '2002:c000:0200::/40'
+#  - '2002:c633:6400::/40'
+#  - '2002:cb00:7100::/40'
+#  - '2002:e000:0000::/20'
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'

synapse/config/server.py

@@ -23,7 +23,7 @@
 
 import attr
 import yaml
-from netaddr import IPSet
+from netaddr import IPNetwork, IPSet
 
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
 from synapse.util.stringutils import parse_and_validate_server_name
@@ -40,7 +40,24 @@
 # in the list.
 DEFAULT_BIND_ADDRESSES = ["::", "0.0.0.0"]
 
-DEFAULT_IP_RANGE_BLACKLIST = [
+
+def _6to4(network_str: str) -> str:
+    """Convert an IPv4 network into a 6to4 IPv6 network per RFC 3056."""
+    network = IPNetwork(network_str)
+    # 6to4 networks have a prefix of 2002, the first IPv4 address in the network
+    # needs to be hex-encoded as the next 32 bits. Calculate the new prefix by
+    # adding 16 (the additional bits from the 2002: prefix).
+    hex_network = hex(network.first)[2:]
+    hex_network = ("0" * (8 - len(hex_network))) + hex_network
+    return "2002:%s:%s::/%d" % (
+        hex_network[:4],
+        hex_network[4:],
+        16 + network.prefixlen,
+    )
+
+
+# Start with IPv4 ranges that are considered private / unroutable / don't make sense.
+DEFAULT_IPV4_RANGE_BLACKLIST = [
     # Localhost
     "127.0.0.0/8",
     # Private networks.
@@ -60,13 +77,32 @@
     "203.0.113.0/24",
     # Multicast.
     "224.0.0.0/4",
+]
+
+# IPv6 contains all of the IPv4 address space, see RFC 4291, section 2.5.5.
+# IPv6 also has a deprecated transition mechanism (6to4) which is not supposed
+# to be used for private IPv4 space, see RFC 3056, section 2.
+DEFAULT_IPV6_RANGE_BLACKLIST = (
+    [
+        str(IPNetwork(ip).ipv6(ipv4_compatible=True))
+        for ip in DEFAULT_IPV4_RANGE_BLACKLIST
+    ]
+    + [
+        str(IPNetwork(ip).ipv6(ipv4_compatible=False))
+        for ip in DEFAULT_IPV4_RANGE_BLACKLIST
+    ]
+    + [_6to4(ip) for ip in DEFAULT_IPV4_RANGE_BLACKLIST]
+)
+# Add IPv6 ranges that are considered private / unroutable / don't make sense.
+DEFAULT_IPV6_RANGE_BLACKLIST += [
     # Localhost
     "::1/128",
     # Link-local addresses.
     "fe80::/10",
     # Unique local addresses.
     "fc00::/7",
 ]
+DEFAULT_IP_RANGE_BLACKLIST = DEFAULT_IPV4_RANGE_BLACKLIST + DEFAULT_IPV6_RANGE_BLACKLIST
 
 DEFAULT_ROOM_VERSION = "6"