npm - @fedify/fedify - Versions diffs - 0.12.0-dev.300 → 0.12.0-dev.302 - Mend

@fedify/fedify 0.12.0-dev.300 → 0.12.0-dev.302

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGES.md +9 -0
package/esm/runtime/docloader.js +29 -5
package/esm/webfinger/lookup.js +4 -2
package/package.json +1 -1
package/types/runtime/docloader.d.ts +6 -2
package/types/runtime/docloader.d.ts.map +1 -1
package/types/webfinger/lookup.d.ts.map +1 -1

package/CHANGES.md CHANGED Viewed

@@ -98,14 +98,23 @@ To be released.
      -  Removed `verify()` function.
      -  Removed `VerifyOptions` interface.
+ -  Fixed a bug where the `lookupWebFinger()` function had incorrectly queried
+    if the given `resource` was a URL starts with `http:` or had a non-default
+    port number.
  -  Fixed a SSRF vulnerability in the built-in document loader.
     [[CVE-2024-39687]]
      -  The `fetchDocumentLoader()` function now throws an error when the given
         URL is not an HTTP or HTTPS URL or refers to a private network address.
+     -  Added an optional second parameter to the `fetchDocumentLoader()`
+        function, which can be used to allow fetching private network addresses.
      -  The `getAuthenticatedDocumentLoader()` function now returns a document
         loader that throws an error when the given URL is not an HTTP or HTTPS
         URL or refers to a private network address.
+     -  Added an optional second parameter to
+        the `getAuthenticatedDocumentLoader()` function, which can be used to
+        allow fetching private network addresses.
  -  Added `@fedify/fedify/x/astro` module for integrating with [Astro]
     middleware.  [[#50]]

package/esm/runtime/docloader.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { getLogger } from "@logtape/logtape";
 import { signRequest } from "../sig/http.js";
 import { validateCryptoKey } from "../sig/key.js";
 import preloadedContexts from "./contexts.js";
-import { validatePublicUrl } from "./url.js";
+import { UrlError, validatePublicUrl } from "./url.js";
 const logger = getLogger(["fedify", "runtime", "docloader"]);
 /**
  * Error thrown when fetching a JSON-LD document failed.
@@ -85,9 +85,11 @@ async function getRemoteDocument(url, response) {
  * - <https://www.w3.org/ns/did/v1>
  * - <https://w3id.org/security/multikey/v1>
  * @param url The URL of the document to load.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The remote document.
  */
-export async function fetchDocumentLoader(url) {
+export async function fetchDocumentLoader(url, allowPrivateAddress = false) {
     if (url in preloadedContexts) {
         logger.debug("Using preloaded context: {url}.", { url });
         return {
@@ -96,7 +98,17 @@ export async function fetchDocumentLoader(url) {
             documentUrl: url,
         };
     }
-    await validatePublicUrl(url);
+    if (!allowPrivateAddress) {
+        try {
+            await validatePublicUrl(url);
+        }
+        catch (error) {
+            if (error instanceof UrlError) {
+                logger.error("Disallowed private URL: {url}", { url, error });
+            }
+            throw error;
+        }
+    }
     const request = createRequest(url);
     logRequest(request);
     const response = await fetch(request, {
@@ -118,14 +130,26 @@ export async function fetchDocumentLoader(url) {
  * the fetched documents.
  * @param identity The identity to get the document loader for.
  *                 The actor's key pair.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The authenticated document loader.
  * @throws {TypeError} If the key is invalid or unsupported.
  * @since 0.4.0
  */
-export function getAuthenticatedDocumentLoader(identity) {
+export function getAuthenticatedDocumentLoader(identity, allowPrivateAddress = false) {
     validateCryptoKey(identity.privateKey);
     async function load(url) {
-        await validatePublicUrl(url);
+        if (!allowPrivateAddress) {
+            try {
+                await validatePublicUrl(url);
+            }
+            catch (error) {
+                if (error instanceof UrlError) {
+                    logger.error("Disallowed private URL: {url}", { url, error });
+                }
+                throw error;
+            }
+        }
         let request = createRequest(url);
         request = await signRequest(request, identity.privateKey, identity.keyId);
         logRequest(request);

package/esm/webfinger/lookup.js CHANGED Viewed

@@ -9,6 +9,7 @@ const logger = getLogger(["fedify", "webfinger", "lookup"]);
 export async function lookupWebFinger(resource) {
     if (typeof resource === "string")
         resource = new URL(resource);
+    let protocol = "https:";
     let server;
     if (resource.protocol === "acct:") {
         const atPos = resource.pathname.lastIndexOf("@");
@@ -19,9 +20,10 @@ export async function lookupWebFinger(resource) {
             return null;
     }
     else {
-        server = resource.hostname;
+        protocol = resource.protocol;
+        server = resource.host;
     }
-    let url = new URL(`https://${server}/.well-known/webfinger`);
+    let url = new URL(`${protocol}//${server}/.well-known/webfinger`);
     url.searchParams.set("resource", resource.href);
     while (true) {
         logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "0.12.0-dev.300+a4e5c52f",
+  "version": "0.12.0-dev.302+3ef9e026",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/runtime/docloader.d.ts CHANGED Viewed

@@ -65,15 +65,19 @@ export declare class FetchError extends Error {
  * - <https://www.w3.org/ns/did/v1>
  * - <https://w3id.org/security/multikey/v1>
  * @param url The URL of the document to load.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The remote document.
  */
-export declare function fetchDocumentLoader(url: string): Promise<RemoteDocument>;
+export declare function fetchDocumentLoader(url: string, allowPrivateAddress?: boolean): Promise<RemoteDocument>;
 /**
  * Gets an authenticated {@link DocumentLoader} for the given identity.
  * Note that an authenticated document loader intentionally does not cache
  * the fetched documents.
  * @param identity The identity to get the document loader for.
  *                 The actor's key pair.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The authenticated document loader.
  * @throws {TypeError} If the key is invalid or unsupported.
  * @since 0.4.0
@@ -81,7 +85,7 @@ export declare function fetchDocumentLoader(url: string): Promise<RemoteDocument
 export declare function getAuthenticatedDocumentLoader(identity: {
     keyId: URL;
     privateKey: dntShim.CryptoKey;
-}): DocumentLoader;
+}, allowPrivateAddress?: boolean): DocumentLoader;
 /**
  * The parameters for {@link kvCache} function.
  */

package/types/runtime/docloader.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AAoED~~;;;;;;;;;;;;GAYG~~;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,~~GACV~~,OAAO,CAAC,cAAc,CAAC,~~CA0BzB~~;AAED~~;;;;;;;;;GASG~~;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,~~GACtD~~,cAAc,~~CAuBhB~~;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}
1	+ {"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AAoED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,mBAAmB,GAAE,OAAe,GACnC,OAAO,CAAC,cAAc,CAAC,CAmCzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,EACvD,mBAAmB,GAAE,OAAe,GACnC,cAAc,CAgChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}

package/types/webfinger/lookup.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,~~CAqDpC~~"}
1	+ {"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAuDpC"}