Ensure the url previewer also hashes and quarantines media (#18297)

Half-Shot · anoadragon453 · web-flow · commit d0873d549a8c · 2025-05-06T11:04:31.000+01:00
Co-authored-by: Andrew Morgan &lt;1342360+anoadragon453@users.noreply.github.com&gt;
diff --git a/changelog.d/18297.misc b/changelog.d/18297.misc
@@ -0,0 +1 @@
+Apply file hashing and existing quarantines to media downloaded for URL previews.
diff --git a/synapse/media/media_repository.py b/synapse/media/media_repository.py
@@ -378,7 +378,6 @@ async def create_content(
             media_length=content_length,
             user_id=auth_user,
             sha256=sha256,
-            # TODO: Better name?
             quarantined_by="system" if should_quarantine else None,
         )
 
diff --git a/synapse/media/url_previewer.py b/synapse/media/url_previewer.py
@@ -41,7 +41,7 @@
 from synapse.http.client import SimpleHttpClient
 from synapse.logging.context import make_deferred_yieldable, run_in_background
 from synapse.media._base import FileInfo, get_filename_from_headers
-from synapse.media.media_storage import MediaStorage
+from synapse.media.media_storage import MediaStorage, SHA256TransparentIOWriter
 from synapse.media.oembed import OEmbedProvider
 from synapse.media.preview_html import decode_body, parse_html_to_open_graph
 from synapse.metrics.background_process_metrics import run_as_background_process
@@ -593,17 +593,26 @@ async def _handle_url(
         file_info = FileInfo(server_name=None, file_id=file_id, url_cache=True)
 
         async with self.media_storage.store_into_file(file_info) as (f, fname):
+            sha256writer = SHA256TransparentIOWriter(f)
             if url.startswith("data:"):
                 if not allow_data_urls:
                     raise SynapseError(
                         500, "Previewing of data: URLs is forbidden", Codes.UNKNOWN
                     )
 
-                download_result = await self._parse_data_url(url, f)
+                download_result = await self._parse_data_url(url, sha256writer.wrap())
             else:
-                download_result = await self._download_url(url, f)
+                download_result = await self._download_url(url, sha256writer.wrap())
 
         try:
+            sha256 = sha256writer.hexdigest()
+            should_quarantine = await self.store.get_is_hash_quarantined(sha256)
+
+            if should_quarantine:
+                logger.warn(
+                    "Media has been automatically quarantined as it matched existing quarantined media"
+                )
+
             time_now_ms = self.clock.time_msec()
 
             await self.store.store_local_media(
@@ -614,6 +623,8 @@ async def _handle_url(
                 media_length=download_result.length,
                 user_id=user,
                 url_cache=url,
+                sha256=sha256,
+                quarantined_by="system" if should_quarantine else None,
             )
 
         except Exception as e:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Apply file hashing and existing quarantines to media downloaded for URL previews.`
Original file line number	Diff line number	Diff line change
`@@ -378,7 +378,6 @@ async def create_content(`
`378`	`378`	`media_length=content_length,`
`379`	`379`	`user_id=auth_user,`
`380`	`380`	`sha256=sha256,`
`381`		`- # TODO: Better name?`
`382`	`381`	`quarantined_by="system" if should_quarantine else None,`
`383`	`382`	`)`
`384`	`383`