@fedify/fedify 0.12.2 → 0.12.3

package/CHANGES.md

@@ -3,6 +3,16 @@
 Fedify changelog
 ================
 
+Version 0.12.3
+--------------
+
+Released on August 18, 2024.
+
+ -  Fixed a vulnerability where the `getActorHandle()` function had trusted
+    the hostname of WebFinger aliases that had not matched the hostname of the
+    actor ID (URI).
+
+
 Version 0.12.2
 --------------
 

package/esm/vocab/actor.js

@@ -86,6 +86,9 @@ export async function getActorHandle(actor, options = {}) {
             for (const alias of aliases) {
                 const match = alias.match(/^acct:([^@]+)@([^@]+)$/);
                 if (match != null) {
+                    const hostname = new URL(`https://${match[2]}/`).hostname;
+                    if (hostname !== actorId.hostname)
+                        continue;
                     return normalizeActorHandle(`@${match[1]}@${match[2]}`, options);
                 }
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "0.12.2",
+  "version": "0.12.3",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/vocab/actor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actor.d.ts","sourceRoot":"","sources":["../../src/vocab/actor.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE/E;;;GAGG;AACH,MAAM,MAAM,KAAK,GAAG,WAAW,GAAG,KAAK,GAAG,YAAY,GAAG,MAAM,GAAG,OAAO,CAAC;AAE1E;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,IAAI,KAAK,CAQxD;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GACrB,aAAa,GACb,OAAO,GACP,cAAc,GACd,QAAQ,GACR,SAAS,CAAC;AAEd;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,KAAK,GACX,aAAa,CAOf;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,aAAa,GAErB,OAAO,WAAW,GAClB,OAAO,KAAK,GACZ,OAAO,YAAY,GACnB,OAAO,MAAM,GACb,OAAO,OAAO,CAcjB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,GAAG,GAAG,EAClB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,IAAI,MAAM,IAAI,MAAM,EAAE,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC,CA2BzD;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,2BAAgC,GACxC,IAAI,MAAM,IAAI,MAAM,EAAE,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAahD;AAED;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,QAAQ,CAAC,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IAExB;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC;IAE7B;;OAEG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE;QACnB;;WAEG;QACH,WAAW,EAAE,GAAG,GAAG,IAAI,CAAC;KACzB,GAAG,IAAI,CAAC;CACV"}
+{"version":3,"file":"actor.d.ts","sourceRoot":"","sources":["../../src/vocab/actor.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE/E;;;GAGG;AACH,MAAM,MAAM,KAAK,GAAG,WAAW,GAAG,KAAK,GAAG,YAAY,GAAG,MAAM,GAAG,OAAO,CAAC;AAE1E;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,IAAI,KAAK,CAQxD;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,GACrB,aAAa,GACb,OAAO,GACP,cAAc,GACd,QAAQ,GACR,SAAS,CAAC;AAEd;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,KAAK,GACX,aAAa,CAOf;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,aAAa,GAErB,OAAO,WAAW,GAClB,OAAO,KAAK,GACZ,OAAO,YAAY,GACnB,OAAO,MAAM,GACb,OAAO,OAAO,CAcjB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,GAAG,GAAG,EAClB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,IAAI,MAAM,IAAI,MAAM,EAAE,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC,CA6BzD;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,2BAAgC,GACxC,IAAI,MAAM,IAAI,MAAM,EAAE,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAahD;AAED;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,QAAQ,CAAC,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IAExB;;OAEG;IACH,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC;IAE7B;;OAEG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE;QACnB;;WAEG;QACH,WAAW,EAAE,GAAG,GAAG,IAAI,CAAC;KACzB,GAAG,IAAI,CAAC;CACV"}