@fedify/fedify 0.12.0-dev.268 → 0.12.0-dev.276

package/CHANGES.md

@@ -40,6 +40,21 @@ To be released.
 
  -  Added `ChatMessage` class to Activity Vocabulary API.  [[#85]]
 
+ -  Added `Move` class to Activity Vocabulary API.  [[#65], [#92] by Lee Dogeon]
+
+ -  Added `Read` class to Activity Vocabulary API.  [[#65], [#92] by Lee Dogeon]
+
+ -  Added `Travel` class to Activity Vocabulary API.
+    [[#65], [#92] by Lee Dogeon]
+
+ -  Added `View` class to Activity Vocabulary API.  [[#65], [#92] by Lee Dogeon]
+
+ -  Added `TentativeAccept` class to Activity Vocabulary API.
+    [[#65], [#92] by Lee Dogeon]
+
+ -  Added `TentativeReject` class to Activity Vocabulary API.
+    [[#65], [#92] by Lee Dogeon]
+
  -  Improved multitenancy (virtual hosting) support.  [[#66]]
 
      -  Added `Context.hostname` property.
@@ -54,6 +69,15 @@ To be released.
  -  The last parameter of `Federation.sendActivity()` method is no longer
     optional.  Also, it now takes the required `contextData` option.
 
+ -  Fixed a SSRF vulnerability in the built-in document loader.
+    [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        URL is not an HTTP or HTTPS URL or refers to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given URL is not an HTTP or HTTPS
+        URL or refers to a private network address.
+
  -  Added more log messages using the [LogTape] library.  Currently the below
     logger categories are used:
 
@@ -63,6 +87,22 @@ To be released.
 [#66]: https://github.com/dahlia/fedify/issues/66
 [#70]: https://github.com/dahlia/fedify/issues/70
 [#85]: https://github.com/dahlia/fedify/issues/85
+[#92]: https://github.com/dahlia/fedify/pull/92
+
+
+Version 0.11.1
+--------------
+
+Released on July 5, 2024.
+
+ -  Fixed a SSRF vulnerability in the built-in document loader.
+    [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        URL is not an HTTP or HTTPS URL or refers to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given URL is not an HTTP or HTTPS
+        URL or refers to a private network address.
 
 
 Version 0.11.0
@@ -248,6 +288,21 @@ Released on June 29, 2024.
 [#80]: https://github.com/dahlia/fedify/pull/80
 
 
+Version 0.10.1
+--------------
+
+Released on July 5, 2024.
+
+ -  Fixed a SSRF vulnerability in the built-in document loader.
+    [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        URL is not an HTTP or HTTPS URL or refers to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given URL is not an HTTP or HTTPS
+        URL or refers to a private network address.
+
+
 Version 0.10.0
 --------------
 
@@ -409,6 +464,23 @@ is now distributed under the [MIT License] to encourage wider adoption.
 [x-forwarded-fetch]: https://github.com/dahlia/x-forwarded-fetch
 
 
+Version 0.9.2
+-------------
+
+Released on July 5, 2024.
+
+ -  Fixed a SSRF vulnerability in the built-in document loader.
+    [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        URL is not an HTTP or HTTPS URL or refers to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given URL is not an HTTP or HTTPS
+        URL or refers to a private network address.
+
+[CVE-2024-39687]: https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
+
+
 Version 0.9.1
 -------------
 

package/FEDERATION.md

@@ -61,9 +61,15 @@ lists the activity types that Fedify provides:
  -  [`Leave`](https://jsr.io/@fedify/fedify/doc/vocab/~/Leave)
  -  [`Like`](https://jsr.io/@fedify/fedify/doc/vocab/~/Like)
  -  [`Listen`](https://jsr.io/@fedify/fedify/doc/vocab/~/Listen)
+ -  [`Move`](https://jsr.io/@fedify/fedify/doc/vocab/~/Move)
  -  [`Offer`](https://jsr.io/@fedify/fedify/doc/vocab/~/Offer)
  -  [`Question`](https://jsr.io/@fedify/fedify/doc/vocab/~/Question)
+ -  [`Read`](https://jsr.io/@fedify/fedify/doc/vocab/~/Read)
  -  [`Reject`](https://jsr.io/@fedify/fedify/doc/vocab/~/Reject)
  -  [`Remove`](https://jsr.io/@fedify/fedify/doc/vocab/~/Remove)
+ -  [`TentativeAccept`](https://jsr.io/@fedify/fedify/doc/vocab/~/TentativeAccept)
+ -  [`TentativeReject`](https://jsr.io/@fedify/fedify/doc/vocab/~/TentativeReject)
+ -  [`Travel`](https://jsr.io/@fedify/fedify/doc/vocab/~/Travel)
  -  [`Undo`](https://jsr.io/@fedify/fedify/doc/vocab/~/Undo)
  -  [`Update`](https://jsr.io/@fedify/fedify/doc/vocab/~/Update)
+ -  [`View`](https://jsr.io/@fedify/fedify/doc/vocab/~/View)

package/esm/runtime/docloader.js

@@ -3,6 +3,7 @@ import { getLogger } from "@logtape/logtape";
 import { signRequest } from "../sig/http.js";
 import { validateCryptoKey } from "../sig/key.js";
 import preloadedContexts from "./contexts.js";
+import { validatePublicUrl } from "./url.js";
 const logger = getLogger(["fedify", "runtime", "docloader"]);
 /**
  * Error thrown when fetching a JSON-LD document failed.
@@ -82,6 +83,7 @@ export async function fetchDocumentLoader(url) {
             documentUrl: url,
         };
     }
+    await validatePublicUrl(url);
     const request = createRequest(url);
     logRequest(request);
     const response = await fetch(request, {
@@ -110,6 +112,7 @@ export async function fetchDocumentLoader(url) {
 export function getAuthenticatedDocumentLoader(identity) {
     validateCryptoKey(identity.privateKey);
     async function load(url) {
+        await validatePublicUrl(url);
         let request = createRequest(url);
         request = await signRequest(request, identity.privateKey, identity.keyId);
         logRequest(request);

package/esm/runtime/url.js

@@ -0,0 +1,75 @@
+import * as dntShim from "../_dnt.shims.js";
+import { lookup } from "node:dns/promises";
+import { isIP } from "node:net";
+export class UrlError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "UrlError";
+    }
+}
+/**
+ * Validates a URL to prevent SSRF attacks.
+ */
+export async function validatePublicUrl(url) {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
+    }
+    let hostname = parsed.hostname;
+    if (hostname.startsWith("[") && hostname.endsWith("]")) {
+        hostname = hostname.substring(1, hostname.length - 2);
+    }
+    if (hostname === "localhost") {
+        throw new UrlError("Localhost is not allowed");
+    }
+    if ("Deno" in dntShim.dntGlobalThis && !isIP(hostname)) {
+        // If the `net` permission is not granted, we can't resolve the hostname.
+        // However, we can safely assume that it cannot gain access to private
+        // resources.
+        const netPermission = await dntShim.Deno.permissions.query({ name: "net" });
+        if (netPermission.state !== "granted")
+            return;
+    }
+    const { address, family } = await lookup(hostname);
+    if (family === 4 && !isValidPublicIPv4Address(address) ||
+        family === 6 && !isValidPublicIPv6Address(address) ||
+        family < 4 || family === 5 || family > 6) {
+        throw new UrlError(`Invalid or private address: ${address}`);
+    }
+}
+export function isValidPublicIPv4Address(address) {
+    const parts = address.split(".");
+    const first = parseInt(parts[0]);
+    if (first === 0 || first === 10 || first === 127)
+        return false;
+    const second = parseInt(parts[1]);
+    if (first === 169 && second === 254)
+        return false;
+    if (first === 172 && second >= 16 && second <= 31)
+        return false;
+    if (first === 192 && second === 168)
+        return false;
+    return true;
+}
+export function isValidPublicIPv6Address(address) {
+    address = expandIPv6Address(address);
+    if (address.at(4) !== ":")
+        return false;
+    const firstWord = parseInt(address.substring(0, 4), 16);
+    return !((firstWord >= 0xfc00 && firstWord <= 0xfdff) || // ULA
+        (firstWord >= 0xfe80 && firstWord <= 0xfebf) || // Link-local
+        firstWord === 0 || firstWord >= 0xff00 // Multicast
+    );
+}
+export function expandIPv6Address(address) {
+    address = address.toLowerCase();
+    if (address === "::")
+        return "0000:0000:0000:0000:0000:0000:0000:0000";
+    if (address.startsWith("::"))
+        address = "0000" + address;
+    if (address.endsWith("::"))
+        address = address + "0000";
+    address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
+    const parts = address.split(":");
+    return parts.map((part) => part.padStart(4, "0")).join(":");
+}

package/esm/vocab/move.yaml

@@ -0,0 +1,13 @@
+$schema: ../codegen/schema.yaml
+name: Move
+uri: "https://www.w3.org/ns/activitystreams#Move"
+extends: "https://www.w3.org/ns/activitystreams#Activity"
+entity: true
+description: |
+  Indicates that the `actor` has moved `object` from `origin` to `target`.
+  If the `origin` or `target` are not specified,
+  either can be determined by context.
+defaultContext:
+- "https://www.w3.org/ns/activitystreams"
+- "https://w3id.org/security/data-integrity/v1"
+properties: []

package/esm/vocab/read.yaml

@@ -0,0 +1,11 @@
+$schema: ../codegen/schema.yaml
+name: Read
+uri: "https://www.w3.org/ns/activitystreams#Read"
+extends: "https://www.w3.org/ns/activitystreams#Activity"
+entity: true
+description: |
+  Indicates that the `actor` has read the `object`.
+defaultContext:
+- "https://www.w3.org/ns/activitystreams"
+- "https://w3id.org/security/data-integrity/v1"
+properties: []

package/esm/vocab/tentativeaccept.yaml

@@ -0,0 +1,12 @@
+$schema: ../codegen/schema.yaml
+name: TentativeAccept
+uri: "https://www.w3.org/ns/activitystreams#TentativeAccept"
+extends: "https://www.w3.org/ns/activitystreams#Accept"
+entity: true
+description: |
+  A specialization of {@link Accept} indicating that
+  the acceptance is tentative.
+defaultContext:
+- "https://www.w3.org/ns/activitystreams"
+- "https://w3id.org/security/data-integrity/v1"
+properties: []

package/esm/vocab/tentativereject.yaml

@@ -0,0 +1,12 @@
+$schema: ../codegen/schema.yaml
+name: TentativeReject
+uri: "https://www.w3.org/ns/activitystreams#TentativeReject"
+extends: "https://www.w3.org/ns/activitystreams#Reject"
+entity: true
+description: |
+  A specialization of {@link Reject} in which
+  the rejection is considered tentative.
+defaultContext:
+- "https://www.w3.org/ns/activitystreams"
+- "https://w3id.org/security/data-integrity/v1"
+properties: []

package/esm/vocab/travel.yaml

@@ -0,0 +1,14 @@
+$schema: ../codegen/schema.yaml
+name: Travel
+uri: "https://www.w3.org/ns/activitystreams#Travel"
+extends: "https://www.w3.org/ns/activitystreams#IntransitiveActivity"
+entity: true
+description: |
+  Indicates that the `actor` is traveling to `target` from `origin`.
+  `Travel` is an `IntransitiveObject` whose `actor` specifies the direct object.
+  If the `target` or `origin` are not specified,
+  either can be determined by context.
+defaultContext:
+- "https://www.w3.org/ns/activitystreams"
+- "https://w3id.org/security/data-integrity/v1"
+properties: []

package/esm/vocab/view.yaml

@@ -0,0 +1,11 @@
+$schema: ../codegen/schema.yaml
+name: View
+uri: "https://www.w3.org/ns/activitystreams#View"
+extends: "https://www.w3.org/ns/activitystreams#Activity"
+entity: true
+description: |
+  Indicates that the `actor` has viewed the object.
+defaultContext:
+- "https://www.w3.org/ns/activitystreams"
+- "https://w3id.org/security/data-integrity/v1"
+properties: []