Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't ratelimit server-sent delayed events #18018

Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from

Conversation

AndrewFerr
Copy link
Member

@AndrewFerr AndrewFerr commented Dec 9, 2024

Fixes #18021

When the server sends a delayed event upon timeout / on-demand sending, don't apply ratelimiting to the event create+send attempt, because it is a send that the server expects to be able to send.

What should (and does) get rate-limited are client requests to manage delayed events.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

Sorry, something went wrong.

When the server sends a delayed event upon timeout / on-demand sending,
don't apply ratelimiting to the event create+send attempt, because it is
a send that the server expects to be able to send.

What should (and does) get rate-limited are client requests to manage
delayed events.
@AndrewFerr AndrewFerr requested a review from a team as a code owner December 9, 2024 16:58
Copy link
Member

@hughns hughns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change goes against the security considerations of MSC4140. Specifically: https://github.com/matrix-org/matrix-spec-proposals/blob/toger5/expiring-events-keep-alive/proposals/4140-delayed-events-futures.md#rate-limiting-at-the-point-of-sending

To make sure that this doesn't get forgotten I've made a tracking issue and added context there: #18021 (comment)

To be clear: I don't think it is a good idea to be removing this rate limit at this point without a planned action of how the risk would be mitigated in future.

@thisisjoesGH
Copy link

What should (and does) get rate-limited are client requests to manage delayed events.

The client request ratelimit is trivially overridden by a malicious homeserver without any code modifications since it is exposed in the Synapse config. Synapse should not be relying on other homeservers to play nice. If the proposed fix is merged it seems like this entire feature will just be a massive new abuse vector.

@AndrewFerr
Copy link
Member Author

The client request ratelimit is trivially overridden by a malicious homeserver without any code modifications since it is exposed in the Synapse config.

If you're referring to non-ratelimited delayed events arriving via federation, I believe that would be protected against by federation-level ratelimiting. Otherwise, there'd already be the possibility of a malicious homeserver disabling all ratelimiting & flooding remote rooms with events.

@thisisjoesGH
Copy link

If you're referring to non-ratelimited delayed events arriving via federation, I believe that would be protected against by federation-level ratelimiting. Otherwise, there'd already be the possibility of a malicious homeserver disabling all ratelimiting & flooding remote rooms with events.

I misunderstood this change as affecting the processing of incoming events rather than outgoing. In that case, is this a potential federation DoS issue? It appears a user could currently schedule an unlimited number of delayed events. Is "a limit on the maximum number of outstanding delayed events" going to be implemented in Synapse as suggested by the MSC?

@AndrewFerr
Copy link
Member Author

Is "a limit on the maximum number of outstanding delayed events" going to be implemented in Synapse as suggested by the MSC?

Yes, this is something I'm also working on.

@anoadragon453
Copy link
Member

I'm going to take this off the review queue until we come up with a workable solution -> #18021

Feel free to add it back on afterwards (if you don't have permissions to, poke someone on the team).

@anoadragon453 anoadragon453 removed the request for review from a team December 19, 2024 16:39
@hughns
Copy link
Member

hughns commented Jan 10, 2025

I'm going to take this off the review queue until we come up with a workable solution -> #18021

Feel free to add it back on afterwards (if you don't have permissions to, poke someone on the team).

Marking it as draft until this happens.

@hughns hughns marked this pull request as draft January 10, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

MSC4140 delayed event rate limit failures are not handled
4 participants