npm - @enbox/dids - Versions diffs - 0.0.6 → 0.0.8 - Mend

@enbox/dids 0.0.6 → 0.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/LICENSE +3 -2
package/dist/browser.mjs +1 -1
package/dist/browser.mjs.map +3 -3
package/dist/esm/did.js +4 -0
package/dist/esm/did.js.map +1 -1
package/dist/esm/methods/did-dht-pkarr.js +3 -2
package/dist/esm/methods/did-dht-pkarr.js.map +1 -1
package/dist/esm/methods/did-ion.js +3 -2
package/dist/esm/methods/did-ion.js.map +1 -1
package/dist/esm/methods/did-web.js +64 -1
package/dist/esm/methods/did-web.js.map +1 -1
package/dist/esm/resolver/resolver-cache-level.js +9 -0
package/dist/esm/resolver/resolver-cache-level.js.map +1 -1
package/dist/esm/resolver/resolver-cache-memory.js +8 -0
package/dist/esm/resolver/resolver-cache-memory.js.map +1 -1
package/dist/esm/resolver/resolver-cache-noop.js +3 -0
package/dist/esm/resolver/resolver-cache-noop.js.map +1 -1
package/dist/esm/resolver/universal-resolver.js +18 -0
package/dist/esm/resolver/universal-resolver.js.map +1 -1
package/dist/types/did.d.ts.map +1 -1
package/dist/types/methods/did-dht-pkarr.d.ts.map +1 -1
package/dist/types/methods/did-ion.d.ts.map +1 -1
package/dist/types/methods/did-web.d.ts.map +1 -1
package/dist/types/resolver/resolver-cache-level.d.ts +7 -0
package/dist/types/resolver/resolver-cache-level.d.ts.map +1 -1
package/dist/types/resolver/resolver-cache-memory.d.ts +4 -0
package/dist/types/resolver/resolver-cache-memory.d.ts.map +1 -1
package/dist/types/resolver/resolver-cache-noop.d.ts.map +1 -1
package/dist/types/resolver/universal-resolver.d.ts +10 -0
package/dist/types/resolver/universal-resolver.d.ts.map +1 -1
package/dist/utils.js.map +1 -1
package/package.json +3 -3
package/src/did.ts +3 -0
package/src/methods/did-dht-pkarr.ts +3 -2
package/src/methods/did-ion.ts +3 -2
package/src/methods/did-web.ts +52 -1
package/src/resolver/resolver-cache-level.ts +10 -0
package/src/resolver/resolver-cache-memory.ts +7 -0
package/src/resolver/resolver-cache-noop.ts +3 -0
package/src/resolver/universal-resolver.ts +16 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@enbox/dids",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "description": "TBD DIDs library",
   "type": "module",
   "main": "./dist/esm/index.js",
@@ -80,8 +80,8 @@
   "dependencies": {
     "@decentralized-identity/ion-sdk": "1.0.4",
     "@dnsquery/dns-packet": "6.1.1",
-    "@enbox/common": "0.0.4",
-    "@enbox/crypto": "0.0.5",
+    "@enbox/common": "0.0.6",
+    "@enbox/crypto": "0.0.7",
     "abstract-level": "1.0.4",
     "bencode": "4.0.0",
     "level": "8.0.1",

package/src/did.ts CHANGED Viewed

@@ -145,6 +145,9 @@ export class Did {
     // Return null if the input string is empty or not provided.
     if (!didUri) {return null;}
+    // Guard against ReDoS: reject unreasonably long URIs before executing the regex.
+    if (didUri.length > 2048) {return null;}
     // Execute the regex pattern on the input string to extract URI components.
     const match = Did.DID_URI_PATTERN.exec(didUri);

package/src/methods/did-dht-pkarr.ts CHANGED Viewed

@@ -44,7 +44,7 @@ export async function pkarrGet({ gatewayUri, publicKeyBytes }: {
   // Transmit the Get request to the DID DHT Gateway or Pkarr Relay and get the response.
   let response: Response;
   try {
-    response = await fetch(url, { method: 'GET' });
+    response = await fetch(url, { method: 'GET', signal: AbortSignal.timeout(30_000) });
     if (!response.ok) {
       throw new DidError(DidErrorCode.NotFound, `Pkarr record not found for: ${identifier}`);
@@ -113,7 +113,8 @@ export async function pkarrPut({ gatewayUri, bep44Message }: {
     response = await fetch(url, {
       method  : 'PUT',
       headers : { 'Content-Type': 'application/octet-stream' },
-      body
+      body,
+      signal  : AbortSignal.timeout(30_000),
     });
   } catch (error: any) {

package/src/methods/did-ion.ts CHANGED Viewed

@@ -600,7 +600,8 @@ export class DidIon extends DidMethod {
         method  : 'POST',
         mode    : 'cors',
         headers : { 'Content-Type': 'application/json' },
-        body    : JSON.stringify(createOperation)
+        body    : JSON.stringify(createOperation),
+        signal  : AbortSignal.timeout(30_000),
       });
       // Return the result of processing the Create operation, including the updated DID metadata
@@ -681,7 +682,7 @@ export class DidIon extends DidMethod {
       });
       // Attempt to retrieve the DID document and metadata from the Sidetree node.
-      const response = await fetch(resolutionUrl);
+      const response = await fetch(resolutionUrl, { signal: AbortSignal.timeout(30_000) });
       // If the DID document was not found, return an error.
       if (!response.ok) {

package/src/methods/did-web.ts CHANGED Viewed

@@ -4,6 +4,46 @@ import { Did } from '../did.js';
 import { DidMethod } from './did-method.js';
 import { EMPTY_DID_RESOLUTION_RESULT } from '../types/did-resolution.js';
+/** Default fetch timeout for DID document retrieval (30 seconds). */
+const FETCH_TIMEOUT_MS = 30_000;
+/**
+ * Returns `true` when the hostname is a private, loopback, or link-local
+ * address.  Used to block SSRF via crafted `did:web` identifiers such as
+ * `did:web:169.254.169.254` or `did:web:localhost`.
+ */
+function isPrivateHostname(hostname: string): boolean {
+  const h = hostname.toLowerCase();
+  if (h === 'localhost' || h === 'localhost.') { return true; }
+  // IPv4 literal check
+  const parts = h.split('.');
+  if (parts.length === 4) {
+    const octets = parts.map(Number);
+    if (octets.every((o) => !Number.isNaN(o) && o >= 0 && o <= 255)) {
+      const [a, b] = octets;
+      if (a === 10) { return true; } // 10.0.0.0/8
+      if (a === 172 && b >= 16 && b <= 31) { return true; } // 172.16.0.0/12
+      if (a === 192 && b === 168) { return true; } // 192.168.0.0/16
+      if (a === 127) { return true; } // 127.0.0.0/8
+      if (a === 169 && b === 254) { return true; } // 169.254.0.0/16
+      if (a === 0) { return true; } // 0.0.0.0/8
+    }
+  }
+  // IPv6 literal check (bracket-wrapped by URL parser)
+  let v6 = h;
+  if (v6.startsWith('[') && v6.endsWith(']')) { v6 = v6.slice(1, -1); }
+  if (v6.includes(':')) {
+    if (v6 === '::1' || v6 === '::' || v6 === '::0') { return true; }
+    if (v6.startsWith('fe80:') || v6.startsWith('fe80%')) { return true; }
+    if (v6.startsWith('fc') || v6.startsWith('fd')) { return true; }
+  }
+  return false;
+}
 /**
  * The `DidWeb` class provides an implementation of the `did:web` DID method.
  *
@@ -71,8 +111,19 @@ export class DidWeb extends DidMethod {
       `${baseUrl}/.well-known/did.json`;
     try {
+      // Block requests to private/loopback/link-local addresses (SSRF protection).
+      const parsedUrl = new URL(didDocumentUrl);
+      if (isPrivateHostname(parsedUrl.hostname)) {
+        return {
+          ...EMPTY_DID_RESOLUTION_RESULT,
+          didResolutionMetadata: { error: 'notFound' }
+        };
+      }
       // Perform an HTTP GET request to obtain the DID document.
-      const response = await fetch(didDocumentUrl);
+      const response = await fetch(didDocumentUrl, {
+        signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+      });
       // If the response status code is not 200, return an error.
       if (!response.ok) {throw new Error('HTTP error status code returned');}

package/src/resolver/resolver-cache-level.ts CHANGED Viewed

@@ -87,6 +87,16 @@ export class DidResolverCacheLevel implements DidResolverCache {
     this.ttl = ms(ttl);
   }
+  /**
+   * Opens the underlying LevelDB store.
+   * Calling `open()` on an already-open store is a safe no-op.
+   *
+   * @returns A promise that resolves when the store is ready for use.
+   */
+  open(): Promise<void> {
+    return this.cache.open();
+  }
   /**
    * Retrieves a DID resolution result from the cache.
    *

package/src/resolver/resolver-cache-memory.ts CHANGED Viewed

@@ -26,6 +26,13 @@ export class DidResolverCacheMemory implements DidResolverCache {
     this.cache = new TtlCache({ ttl: ms(ttl) });
   }
+  /**
+   * This method is a no-op since in-memory stores are always ready.
+   */
+  public async open(): Promise<void> {
+    // No-op since there is no underlying store to open.
+  }
   /**
    * Retrieves a DID resolution result from the cache.
    *

package/src/resolver/resolver-cache-noop.ts CHANGED Viewed

@@ -8,6 +8,9 @@ import type { DidResolverCache } from '../types/did-resolution.js';
  * potential for this library to be used in as many JS runtimes as possible.
  */
 export const DidResolverCacheNoop: DidResolverCache = {
+  open(): Promise<void> {
+    return Promise.resolve();
+  },
   get(_key: string): Promise<DidResolutionResult | void> {
     return Promise.resolve(undefined);
   },

package/src/resolver/universal-resolver.ts CHANGED Viewed

@@ -86,6 +86,22 @@ export class UniversalResolver implements DidResolver, DidUrlDereferencer {
     }
   }
+  /**
+   * Opens the resolver's cache, acquiring any resources needed.
+   * Must be called before resolving DIDs if using a cache that requires initialization (e.g., LevelDB).
+   */
+  public async open(): Promise<void> {
+    await this.cache.open();
+  }
+  /**
+   * Closes the resolver's cache, releasing any resources held.
+   * Should be called during application shutdown.
+   */
+  public async close(): Promise<void> {
+    await this.cache.close();
+  }
   /**
    * Resolves a DID to a DID Resolution Result.
    *