@fedify/fedify 0.12.0-dev.301 → 0.12.0-dev.304

package/CHANGES.md

@@ -98,14 +98,23 @@ To be released.
      -  Removed `verify()` function.
      -  Removed `VerifyOptions` interface.
 
+ -  Fixed a bug where the `lookupWebFinger()` function had incorrectly queried
+    if the given `resource` was a URL starts with `http:` or had a non-default
+    port number.
+
  -  Fixed a SSRF vulnerability in the built-in document loader.
     [[CVE-2024-39687]]
 
      -  The `fetchDocumentLoader()` function now throws an error when the given
         URL is not an HTTP or HTTPS URL or refers to a private network address.
+     -  Added an optional second parameter to the `fetchDocumentLoader()`
+        function, which can be used to allow fetching private network addresses.
      -  The `getAuthenticatedDocumentLoader()` function now returns a document
         loader that throws an error when the given URL is not an HTTP or HTTPS
         URL or refers to a private network address.
+     -  Added an optional second parameter to
+        the `getAuthenticatedDocumentLoader()` function, which can be used to
+        allow fetching private network addresses.
 
  -  Added `@fedify/fedify/x/astro` module for integrating with [Astro]
     middleware.  [[#50]]

package/esm/runtime/docloader.js

@@ -4,7 +4,7 @@ import { getLogger } from "@logtape/logtape";
 import { signRequest } from "../sig/http.js";
 import { validateCryptoKey } from "../sig/key.js";
 import preloadedContexts from "./contexts.js";
-import { validatePublicUrl } from "./url.js";
+import { UrlError, validatePublicUrl } from "./url.js";
 const logger = getLogger(["fedify", "runtime", "docloader"]);
 /**
  * Error thrown when fetching a JSON-LD document failed.
@@ -85,9 +85,11 @@ async function getRemoteDocument(url, response) {
  * - <https://www.w3.org/ns/did/v1>
  * - <https://w3id.org/security/multikey/v1>
  * @param url The URL of the document to load.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The remote document.
  */
-export async function fetchDocumentLoader(url) {
+export async function fetchDocumentLoader(url, allowPrivateAddress = false) {
     if (url in preloadedContexts) {
         logger.debug("Using preloaded context: {url}.", { url });
         return {
@@ -96,7 +98,17 @@ export async function fetchDocumentLoader(url) {
             documentUrl: url,
         };
     }
-    await validatePublicUrl(url);
+    if (!allowPrivateAddress) {
+        try {
+            await validatePublicUrl(url);
+        }
+        catch (error) {
+            if (error instanceof UrlError) {
+                logger.error("Disallowed private URL: {url}", { url, error });
+            }
+            throw error;
+        }
+    }
     const request = createRequest(url);
     logRequest(request);
     const response = await fetch(request, {
@@ -118,14 +130,26 @@ export async function fetchDocumentLoader(url) {
  * the fetched documents.
  * @param identity The identity to get the document loader for.
  *                 The actor's key pair.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The authenticated document loader.
  * @throws {TypeError} If the key is invalid or unsupported.
  * @since 0.4.0
  */
-export function getAuthenticatedDocumentLoader(identity) {
+export function getAuthenticatedDocumentLoader(identity, allowPrivateAddress = false) {
     validateCryptoKey(identity.privateKey);
     async function load(url) {
-        await validatePublicUrl(url);
+        if (!allowPrivateAddress) {
+            try {
+                await validatePublicUrl(url);
+            }
+            catch (error) {
+                if (error instanceof UrlError) {
+                    logger.error("Disallowed private URL: {url}", { url, error });
+                }
+                throw error;
+            }
+        }
         let request = createRequest(url);
         request = await signRequest(request, identity.privateKey, identity.keyId);
         logRequest(request);

package/esm/webfinger/lookup.js

@@ -9,6 +9,7 @@ const logger = getLogger(["fedify", "webfinger", "lookup"]);
 export async function lookupWebFinger(resource) {
     if (typeof resource === "string")
         resource = new URL(resource);
+    let protocol = "https:";
     let server;
     if (resource.protocol === "acct:") {
         const atPos = resource.pathname.lastIndexOf("@");
@@ -19,9 +20,10 @@ export async function lookupWebFinger(resource) {
             return null;
     }
     else {
-        server = resource.hostname;
+        protocol = resource.protocol;
+        server = resource.host;
     }
-    let url = new URL(`https://${server}/.well-known/webfinger`);
+    let url = new URL(`${protocol}//${server}/.well-known/webfinger`);
     url.searchParams.set("resource", resource.href);
     while (true) {
         logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "0.12.0-dev.301+e2b9f0c7",
+  "version": "0.12.0-dev.304+1105aa6b",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/runtime/docloader.d.ts

@@ -65,15 +65,19 @@ export declare class FetchError extends Error {
  * - <https://www.w3.org/ns/did/v1>
  * - <https://w3id.org/security/multikey/v1>
  * @param url The URL of the document to load.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The remote document.
  */
-export declare function fetchDocumentLoader(url: string): Promise<RemoteDocument>;
+export declare function fetchDocumentLoader(url: string, allowPrivateAddress?: boolean): Promise<RemoteDocument>;
 /**
  * Gets an authenticated {@link DocumentLoader} for the given identity.
  * Note that an authenticated document loader intentionally does not cache
  * the fetched documents.
  * @param identity The identity to get the document loader for.
  *                 The actor's key pair.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
  * @returns The authenticated document loader.
  * @throws {TypeError} If the key is invalid or unsupported.
  * @since 0.4.0
@@ -81,7 +85,7 @@ export declare function fetchDocumentLoader(url: string): Promise<RemoteDocument
 export declare function getAuthenticatedDocumentLoader(identity: {
     keyId: URL;
     privateKey: dntShim.CryptoKey;
-}): DocumentLoader;
+}, allowPrivateAddress?: boolean): DocumentLoader;
 /**
  * The parameters for {@link kvCache} function.
  */

package/types/runtime/docloader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AAoED;;;;;;;;;;;;GAYG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,cAAc,CAAC,CA0BzB;AAED;;;;;;;;;GASG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,GACtD,cAAc,CAuBhB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}
+{"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AAoED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,mBAAmB,GAAE,OAAe,GACnC,OAAO,CAAC,cAAc,CAAC,CAmCzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,EACvD,mBAAmB,GAAE,OAAe,GACnC,cAAc,CAgChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}

package/types/webfinger/lookup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAqDpC"}
+{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAuDpC"}