@fedify/fedify 0.11.1 → 0.11.2

package/CHANGES.md

@@ -3,6 +3,21 @@
 Fedify changelog
 ================
 
+Version 0.11.2
+--------------
+
+Released on July 9, 2024.
+
+ -  Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
+    loader.  [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        domain name has any records referring to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given domain name has any records
+        referring to a private network address.
+
+
 Version 0.11.1
 --------------
 
@@ -201,6 +216,21 @@ Released on June 29, 2024.
 [#80]: https://github.com/dahlia/fedify/pull/80
 
 
+Version 0.10.2
+--------------
+
+Released on July 9, 2024.
+
+ -  Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
+    loader.  [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        domain name has any records referring to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given domain name has any records
+        referring to a private network address.
+
+
 Version 0.10.1
 --------------
 
@@ -377,6 +407,21 @@ is now distributed under the [MIT License] to encourage wider adoption.
 [x-forwarded-fetch]: https://github.com/dahlia/x-forwarded-fetch
 
 
+Version 0.9.3
+-------------
+
+Released on July 9, 2024.
+
+ -  Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
+    loader.  [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        domain name has any records referring to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given domain name has any records
+        referring to a private network address.
+
+
 Version 0.9.2
 -------------
 

package/esm/runtime/key.js

@@ -1,6 +1,6 @@
 import * as dntShim from "../_dnt.shims.js";
 import { createPublicKey } from "node:crypto";
-import { concat } from "../deps/jsr.io/@std/bytes/1.0.1/concat.js";
+import { concat } from "../deps/jsr.io/@std/bytes/1.0.2/concat.js";
 import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/0.224.3/base64.js";
 import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/0.224.3/base64url.js";
 import { decodeHex } from "../deps/jsr.io/@std/encoding/0.224.3/hex.js";

package/esm/runtime/url.js

@@ -30,11 +30,15 @@ export async function validatePublicUrl(url) {
         if (netPermission.state !== "granted")
             return;
     }
-    const { address, family } = await lookup(hostname);
-    if (family === 4 && !isValidPublicIPv4Address(address) ||
-        family === 6 && !isValidPublicIPv6Address(address) ||
-        family < 4 || family === 5 || family > 6) {
-        throw new UrlError(`Invalid or private address: ${address}`);
+    // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
+    // and ensure that they are all public:
+    const addresses = await lookup(hostname, { all: true });
+    for (const { address, family } of addresses) {
+        if (family === 4 && !isValidPublicIPv4Address(address) ||
+            family === 6 && !isValidPublicIPv6Address(address) ||
+            family < 4 || family === 5 || family > 6) {
+            throw new UrlError(`Invalid or private address: ${address}`);
+        }
     }
 }
 export function isValidPublicIPv4Address(address) {

package/esm/sig/http.js

@@ -1,6 +1,6 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { equals } from "../deps/jsr.io/@std/bytes/1.0.1/mod.js";
+import { equals } from "../deps/jsr.io/@std/bytes/1.0.2/mod.js";
 import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/0.224.3/base64.js";
 import { CryptographicKey } from "../vocab/vocab.js";
 import { fetchKey, validateCryptoKey } from "./key.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "0.11.1",
+  "version": "0.11.2",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/concat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"concat.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/concat.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,MAAM,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,CAaxD"}
+{"version":3,"file":"concat.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/concat.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,MAAM,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,CAaxD"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/copy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"copy.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/copy.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,SAAI,GAAG,MAAM,CAQzE"}
+{"version":3,"file":"copy.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/copy.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,SAAI,GAAG,MAAM,CAQzE"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/ends_with.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ends_with.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/ends_with.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAWxE"}
+{"version":3,"file":"ends_with.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/ends_with.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAWxE"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/equals.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/equals.ts"],"names":[],"mappings":"AA6DA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAQ5D"}
+{"version":3,"file":"equals.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/equals.ts"],"names":[],"mappings":"AA6DA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAQ5D"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/includes_needle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"includes_needle.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/includes_needle.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAI,GACR,OAAO,CAET"}
+{"version":3,"file":"includes_needle.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/includes_needle.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAI,GACR,OAAO,CAET"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/index_of_needle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index_of_needle.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/index_of_needle.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAI,GACR,MAAM,CAqBR"}
+{"version":3,"file":"index_of_needle.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/index_of_needle.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAI,GACR,MAAM,CAqBR"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/last_index_of_needle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"last_index_of_needle.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/last_index_of_needle.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,KAAK,GAAE,MAA0B,GAChC,MAAM,CAuBR"}
+{"version":3,"file":"last_index_of_needle.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/last_index_of_needle.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,KAAK,GAAE,MAA0B,GAChC,MAAM,CAuBR"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/mod.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,cAAc,aAAa,CAAC;AAC5B,cAAc,WAAW,CAAC;AAC1B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/mod.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,cAAc,aAAa,CAAC;AAC5B,cAAc,WAAW,CAAC;AAC1B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/repeat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repeat.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/repeat.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,UAAU,CAapE"}
+{"version":3,"file":"repeat.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/repeat.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,UAAU,CAapE"}

package/types/deps/jsr.io/@std/bytes/{1.0.1 → 1.0.2}/starts_with.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"starts_with.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.1/starts_with.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAS1E"}
+{"version":3,"file":"starts_with.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/bytes/1.0.2/starts_with.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAS1E"}

package/types/runtime/url.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BlE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
+{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BlE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}