Ensure the url previewer also hashes and quarantines media (element-hq#18297)

Co-authored-by: Andrew Morgan <[email protected]>

Author: 2 people

changelog.d/18297.misc

@@ -0,0 +1 @@
+Apply file hashing and existing quarantines to media downloaded for URL previews.

synapse/media/media_repository.py

@@ -378,7 +378,6 @@ async def create_content(
             media_length=content_length,
             user_id=auth_user,
             sha256=sha256,
-            # TODO: Better name?
             quarantined_by="system" if should_quarantine else None,
         )
 

synapse/media/url_previewer.py

@@ -41,7 +41,7 @@
 from synapse.http.client import SimpleHttpClient
 from synapse.logging.context import make_deferred_yieldable, run_in_background
 from synapse.media._base import FileInfo, get_filename_from_headers
-from synapse.media.media_storage import MediaStorage
+from synapse.media.media_storage import MediaStorage, SHA256TransparentIOWriter
 from synapse.media.oembed import OEmbedProvider
 from synapse.media.preview_html import decode_body, parse_html_to_open_graph
 from synapse.metrics.background_process_metrics import run_as_background_process
@@ -593,17 +593,26 @@ async def _handle_url(
         file_info = FileInfo(server_name=None, file_id=file_id, url_cache=True)
 
         async with self.media_storage.store_into_file(file_info) as (f, fname):
+            sha256writer = SHA256TransparentIOWriter(f)
             if url.startswith("data:"):
                 if not allow_data_urls:
                     raise SynapseError(
                         500, "Previewing of data: URLs is forbidden", Codes.UNKNOWN
                     )
 
-                download_result = await self._parse_data_url(url, f)
+                download_result = await self._parse_data_url(url, sha256writer.wrap())
             else:
-                download_result = await self._download_url(url, f)
+                download_result = await self._download_url(url, sha256writer.wrap())
 
         try:
+            sha256 = sha256writer.hexdigest()
+            should_quarantine = await self.store.get_is_hash_quarantined(sha256)
+
+            if should_quarantine:
+                logger.warn(
+                    "Media has been automatically quarantined as it matched existing quarantined media"
+                )
+
             time_now_ms = self.clock.time_msec()
 
             await self.store.store_local_media(
@@ -614,6 +623,8 @@ async def _handle_url(
                 media_length=download_result.length,
                 user_id=user,
                 url_cache=url,
+                sha256=sha256,
+                quarantined_by="system" if should_quarantine else None,
             )
 
         except Exception as e: