Endpoint preview_url exposes url to Log

[boontifex]

Description

If a client sends an URL, it uses the endpoint /_matrix/api/r0/preview_url via GET method. So the URL and the sender are exposed to the Homeserver Log (log_level: INFO) and the Reverse-Proxy Access Log (f.e. apache).

Disabling url_preview_enabled in homeserver.yml has no effect.

Its expected that no user messages are exposed to any logfiles, especially with activated e2e encryption. Changing the method from GET to POST will fix this issue.

Workaround

• set loglevel to WARN in homeserver log config
• exclude preview_url from logging

f.e. in apache config.

SetEnvIf Request_URI "^/_matrix/media/(.*)/preview_url(.*)$" dontlog
CustomLog /var/log/apache2/access.log combined env=!dontlog

Steps to reproduce

• use a client of your choice, fe. elements-web or elements-desktop
• send a message that only contains a url
• follow the homeserver and reverse proxy logs

2021-12-15 14:43:25,837 - synapse.access.http.8008 - 400 - INFO - GET-268 - 123.123.123.123 - 8008 - {None} Processed request: 0.000sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 153B 404 "GET /_matrix/media/r0/preview_url?url=https%3A%2F%2Fgitpro.ttaallkk.top%2Fmatrix-org%2Fsynapse HTTP/1.1"

Version information

• Version: 1.48.0
• Platform: Debian 11

[squahtx]

Changing GET to POST would require a spec change on matrix-doc unfortunately. I'm not entirely confident that it'd be accepted by the spec people.

I believe clients are not supposed to use the preview_url endpoint when E2E encryption is on, since that would leak message contents as you point out.

On the Synapse end, we can redact preview URLs from the logs, since we already do this for access tokens and client secrets:
https://github.com/matrix-org/synapse/blob/release-v1.49/synapse/http/__init__.py#L32-L39

[DMRobertson]

The spec notes:

Note: Clients should consider avoiding this endpoint for URLs posted in encrypted rooms. Encrypted rooms often contain more sensitive information the users do not want to share with the homeserver, and this can mean that the URLs being shared should also not be shared with the homeserver.

[boontifex]

@DMRobertson: I agree, clients shouldn't use preview_url especially not in encrypted rooms. In our case, we also disabled preview_url in synapse homeserver.yml. So it might be a good idea, to promote activated features to clients. I know this will result in much work and long discussions.

@squahtx: Your proposal could be a fast solution, but redacting homeserver logs has no effect to reverse proxy logs. So it couldn't be the final solution.

[callahad]

redacting homeserver logs has no effect to reverse proxy logs. So it couldn't be the final solution.

That's a fair point, and probably means log redaction isn't worth pursuing as a fix.

A proper fix would be, as you mentioned, moving this endpoint to accepting data via POST. We can't do that unilaterally in Synapse because it's an issue with the Matrix specification itself. I'd strongly urge you (or anyone else reading this issue) to propose a Matrix Spec Change (MSC) following the process at https://spec.matrix.org/v1.1/proposals/#process

I'm going to close this as wontfix as we can't do anything about it until the Spec Core Team approves of this change to the Matrix specification.