Support rendering previews with data: URLs in them

[clokep]

I noticed while reviewing/testing #11669 that if a webpage has a data: on it (which we choose for the og:image response) then the URL preview breaks. An example page for this is https://www.reddit.com/r/matrixdotorg/comments/s5m47u/cant_connect_to_my_home_server_in_element/

The image which ends up being chosen is the reddit logo, which they embed as a data: URL. After this PR we get a working preview:

The only thing that is a bit weird about the current implementation is that it will allow Synapse to directly render data: URLs if requests, e.g. using the "HTML document" example from MDN and URL encoding it: This is no longer true and only image or oEmbed URLs found in HTML would be parsed if they're data: URLs.

$ curl --header "Authorization: Bearer $TOK" http://localhost:8080/_matrix/media/r0/preview_url\?url\=data%3Atext%2Fhtml%2C%253Ch1%253EHello%252C%2520World%2521%253C%252Fh1%253E
{"og:title":"Hello, World!","og:description":"Hello, World!"}

I don't think there's any risk to doing this since we're not rendering JavaScript, but it feels a bit icky.

The code should probably handle if you embed something weird (e.g. HTML) as the src of the image, however. (Note that "other" schemes usually get rejected via deep in Twisted internals for Agent). Without this change the error is obscure since the rebase_url method is broken and you end up trying to preview data:www.reddit.com/r/matrixdotorg/comments/s5m47u/cant_connect_to_my_home_server_in_element/image/png;base64,<the base 64 data>.

Should be reviewable commit-by-commit.

[clokep]

We might want to assert HTTP(S) schemes here as additional error checking.

[reivilibre]

Yeah I feel like I'd be happier having a few select allowed protocols rather than singling out data:; not sure it really makes sense to ask us to preview an ftp: URI either for example.

[clokep]

Yep, note that those will fail right now (we won't try them), but it would be better to be explicit, I think!

[clokep]

I think this might actually be tougher to get correct than I initially though since we seem to support previewing scheme-less URLs. I'm not sure it makes sense to refactor that as part of this.

[reivilibre]

Yeah, fair enough.

[clokep]

The only thing that is a bit weird about the current implementation is that it will allow Synapse to directly render data: URLs if requests

We could probably avoid this with a flag, now that I think a bit more about it. So directly given URLs couldn't be data:. I'm not sure if this offers any real protection though.

[DMRobertson]

A few drive-by comments.

Not sure of the security ramifications here; I'll stick into the queue for a second opinion. But FWIW: instead of downloading an arbitrary data blob from someone else, we have an arbitrary binary blob provided to us via a URL---is there any difference? If Synapse itself was processing the data blob generically, then I could forsee problems like the billion laughs attack or some invalid image data designed to trip up an image renderer.

I agree with you on the ickiness. It does seem... odd and confused to allow someone to say "please preview this data that I already have".

[DMRobertson]

Should we cross reference this with the mime-type in the data url?

(Do we want to have some kind of whitelist of trusted mime types which are okay to preview?)

[clokep]

This is the mime-type from the data URL, it gets parsed out for us and shoved into a headers property for some reason.

The docs for urlopen have some info on how data URLs are handled:

For FTP, file, and data URLs [...], this function returns a urllib.response.addinfourl object.

The addinfourl object has a headers property:

Returns the headers of the response in the form of an EmailMessage instance.

The EmailMessage object has a get_content_type() property:

Return the message’s content type, coerced to lower case of the form maintype/subtype. If there is no Content-Type header in the message return the value returned by get_default_type(). If the Content-Type header is invalid, return text/plain.

This all doesn't really make sense for data URLs, but from trial and error it seems to do the correct thing.

[clokep]

I added a clarifying comment in 116015f -- hopefully that helps?

[clokep]

Not sure of the security ramifications here; I'll stick into the queue for a second opinion. But FWIW: instead of downloading an arbitrary data blob from someone else, we have an arbitrary binary blob provided to us via a URL---is there any difference? If Synapse itself was processing the data blob generically, then I could forsee problems like the billion laughs attack or some invalid image data designed to trip up an image renderer.

I agree with you on the ickiness. It does seem... odd and confused to allow someone to say "please preview this data that I already have".

Thanks for the review! I agree that it isn't too different from what we're doing. It is worth investigating how urlopen would work in some situations though (I'll take a look at that!) In particular this might not handle our max download size properly...but if it is embedded in something we already downloaded then by definition it must be smaller than the max download size. I think.

I've updated the PR to not allow directly previewing data: URLs because I don't think there's a valid use-case there.

[reivilibre]

Seems sensible enough — just a few points

[reivilibre]

Do you know how this differs from urljoin in the standard lib?
Not necessarily opposed to rolling our own, but it'd be nice to know if we had specific motivation for doing so.

[clokep]

I didn't know of it, but I'll look into it!

[clokep]

I think this will work OK, but I'd rather punt this to a separate PR since it is pretty unrelated to this work. Would that be OK?

[reivilibre]

yeah OK

[reivilibre]

Yeah I feel like I'd be happier having a few select allowed protocols rather than singling out data:; not sure it really makes sense to ask us to preview an ftp: URI either for example.

[reivilibre]

Thanks!