@fedify/fedify 0.14.0-dev.338 → 0.14.0-dev.344

package/CHANGES.md

@@ -34,6 +34,39 @@ To be released.
 
  -  Added `Source` class to Activity Vocabulary API.  [[#114]]
 
+ -  Added `aliases` property to `Actor` type in Activity Vocabulary API.
+
+     -  Added `Application.getAliases()` method.
+     -  Added `Application.getAlias()` method.
+     -  `new Application()` constructor now accepts `alias` option.
+     -  `new Application()` constructor now accepts `aliases` option.
+     -  `Application.clone()` method now accepts `alias` option.
+     -  `Application.clone()` method now accepts `aliases` option.
+     -  Added `Group.getAliases()` method.
+     -  Added `Group.getAlias()` method.
+     -  `new Group()` constructor now accepts `alias` option.
+     -  `new Group()` constructor now accepts `aliases` option.
+     -  `Group.clone()` method now accepts `alias` option.
+     -  `Group.clone()` method now accepts `aliases` option.
+     -  Added `Organization.getAliases()` method.
+     -  Added `Organization.getAlias()` method.
+     -  `new Organization()` constructor now accepts `alias` option.
+     -  `new Organization()` constructor now accepts `aliases` option.
+     -  `Organization.clone()` method now accepts `alias` option.
+     -  `Organization.clone()` method now accepts `aliases` option.
+     -  Added `Person.getAliases()` method.
+     -  Added `Person.getAlias()` method.
+     -  `new Person()` constructor now accepts `alias` option.
+     -  `new Person()` constructor now accepts `aliases` option.
+     -  `Person.clone()` method now accepts `alias` option.
+     -  `Person.clone()` method now accepts `aliases` option.
+     -  Added `Service.getAliases()` method.
+     -  Added `Service.getAlias()` method.
+     -  `new Service()` constructor now accepts `alias` option.
+     -  `new Service()` constructor now accepts `aliases` option.
+     -  `Service.clone()` method now accepts `alias` option.
+     -  `Service.clone()` method now accepts `aliases` option.
+
  -  Improved the performance of `Object.toJsonLd()` method.
 
      -  `Object.toJsonLd()` method no longer guarantees that the returned
@@ -54,6 +87,16 @@ To be released.
 [#115]: https://github.com/dahlia/fedify/issues/115
 
 
+Version 0.13.1
+--------------
+
+Released on August 18, 2024.
+
+ -  Fixed a vulnerability where the `getActorHandle()` function had trusted
+    the hostname of WebFinger aliases that had not matched the hostname of the
+    actor ID (URI).
+
+
 Version 0.13.0
 --------------
 
@@ -71,7 +114,7 @@ Released on August 7, 2024.
      -  `new Question()` constructor now accepts `voters` option.
      -  `Question.clone()` method now accepts `voters` option.
 
- -  HTTP Signatures verficiation now can be optionally skipped for the sake of
+ -  HTTP Signatures verification now can be optionally skipped for the sake of
     testing.  [[#110]]
 
      -  The type of `CreateFederationOptions.signatureTimeWindow` property
@@ -128,6 +171,16 @@ Released on August 7, 2024.
 [Nitro]: https://nitro.unjs.io/
 
 
+Version 0.12.3
+--------------
+
+Released on August 18, 2024.
+
+ -  Fixed a vulnerability where the `getActorHandle()` function had trusted
+    the hostname of WebFinger aliases that had not matched the hostname of the
+    actor ID (URI).
+
+
 Version 0.12.2
 --------------
 
@@ -1313,4 +1366,4 @@ Version 0.1.0
 
 Initial release.  Released on March 8, 2024.
 
-<!-- cSpell: ignore Dogeon Wressell -->
+<!-- cSpell: ignore Dogeon Fabien Wressell -->

package/esm/federation/middleware.js

@@ -56,11 +56,11 @@ class FederationImpl {
     constructor(options) {
         this.kv = options.kv;
         this.kvPrefixes = {
-            ...{
+            ...({
                 activityIdempotence: ["_fedify", "activityIdempotence"],
                 remoteDocument: ["_fedify", "remoteDocument"],
                 publicKey: ["_fedify", "publicKey"],
-            },
+            }),
             ...(options.kvPrefixes ?? {}),
         };
         this.queue = options.queue;

package/esm/sig/key.js

@@ -73,7 +73,7 @@ export async function exportJwk(key) {
 /**
  * Imports a key from JWK format.
  * @param jwk The key in JWK format.
- * @param type Which type of key to import, either `"public"`" or `"private"`".
+ * @param type Which type of key to import, either `"public"` or `"private"`.
  * @returns The imported key.
  * @throws {TypeError} If the key is invalid or unsupported.
  */

package/esm/vocab/actor.js

@@ -86,6 +86,9 @@ export async function getActorHandle(actor, options = {}) {
             for (const alias of aliases) {
                 const match = alias.match(/^acct:([^@]+)@([^@]+)$/);
                 if (match != null) {
+                    const hostname = new URL(`https://${match[2]}/`).hostname;
+                    if (hostname !== actorId.hostname)
+                        continue;
                     return normalizeActorHandle(`@${match[1]}@${match[2]}`, options);
                 }
             }

package/esm/vocab/application.yaml

@@ -242,3 +242,20 @@ properties:
   description: Whether the actor allows to be indexed.
   range:
   - "http://www.w3.org/2001/XMLSchema#boolean"
+
+- pluralName: aliases
+  singularName: alias
+  singularAccessor: true
+  compactName: alsoKnownAs
+  uri: "https://www.w3.org/ns/activitystreams#alsoKnownAs"
+  description: |
+    The `aliases` (`alsoKnownAs`) property is used to specify alternative names
+    or aliases for an entity.  It can be used to provide additional identifiers
+    or labels for an entity, which can be useful in scenarios where an entity
+    may have multiple names or aliases.
+  range:
+  - "https://www.w3.org/ns/activitystreams#Application"
+  - "https://www.w3.org/ns/activitystreams#Group"
+  - "https://www.w3.org/ns/activitystreams#Organization"
+  - "https://www.w3.org/ns/activitystreams#Person"
+  - "https://www.w3.org/ns/activitystreams#Service"

package/esm/vocab/group.yaml

@@ -242,3 +242,20 @@ properties:
   description: Whether the actor allows to be indexed.
   range:
   - "http://www.w3.org/2001/XMLSchema#boolean"
+
+- pluralName: aliases
+  singularName: alias
+  singularAccessor: true
+  compactName: alsoKnownAs
+  uri: "https://www.w3.org/ns/activitystreams#alsoKnownAs"
+  description: |
+    The `aliases` (`alsoKnownAs`) property is used to specify alternative names
+    or aliases for an entity.  It can be used to provide additional identifiers
+    or labels for an entity, which can be useful in scenarios where an entity
+    may have multiple names or aliases.
+  range:
+  - "https://www.w3.org/ns/activitystreams#Application"
+  - "https://www.w3.org/ns/activitystreams#Group"
+  - "https://www.w3.org/ns/activitystreams#Organization"
+  - "https://www.w3.org/ns/activitystreams#Person"
+  - "https://www.w3.org/ns/activitystreams#Service"

package/esm/vocab/organization.yaml

@@ -242,3 +242,20 @@ properties:
   description: Whether the actor allows to be indexed.
   range:
   - "http://www.w3.org/2001/XMLSchema#boolean"
+
+- pluralName: aliases
+  singularName: alias
+  singularAccessor: true
+  compactName: alsoKnownAs
+  uri: "https://www.w3.org/ns/activitystreams#alsoKnownAs"
+  description: |
+    The `aliases` (`alsoKnownAs`) property is used to specify alternative names
+    or aliases for an entity.  It can be used to provide additional identifiers
+    or labels for an entity, which can be useful in scenarios where an entity
+    may have multiple names or aliases.
+  range:
+  - "https://www.w3.org/ns/activitystreams#Application"
+  - "https://www.w3.org/ns/activitystreams#Group"
+  - "https://www.w3.org/ns/activitystreams#Organization"
+  - "https://www.w3.org/ns/activitystreams#Person"
+  - "https://www.w3.org/ns/activitystreams#Service"

package/esm/vocab/person.yaml

@@ -242,3 +242,20 @@ properties:
   description: Whether the actor allows to be indexed.
   range:
   - "http://www.w3.org/2001/XMLSchema#boolean"
+
+- pluralName: aliases
+  singularName: alias
+  singularAccessor: true
+  compactName: alsoKnownAs
+  uri: "https://www.w3.org/ns/activitystreams#alsoKnownAs"
+  description: |
+    The `aliases` (`alsoKnownAs`) property is used to specify alternative names
+    or aliases for an entity.  It can be used to provide additional identifiers
+    or labels for an entity, which can be useful in scenarios where an entity
+    may have multiple names or aliases.
+  range:
+  - "https://www.w3.org/ns/activitystreams#Application"
+  - "https://www.w3.org/ns/activitystreams#Group"
+  - "https://www.w3.org/ns/activitystreams#Organization"
+  - "https://www.w3.org/ns/activitystreams#Person"
+  - "https://www.w3.org/ns/activitystreams#Service"

package/esm/vocab/service.yaml

@@ -242,3 +242,20 @@ properties:
   description: Whether the actor allows to be indexed.
   range:
   - "http://www.w3.org/2001/XMLSchema#boolean"
+
+- pluralName: aliases
+  singularName: alias
+  singularAccessor: true
+  compactName: alsoKnownAs
+  uri: "https://www.w3.org/ns/activitystreams#alsoKnownAs"
+  description: |
+    The `aliases` (`alsoKnownAs`) property is used to specify alternative names
+    or aliases for an entity.  It can be used to provide additional identifiers
+    or labels for an entity, which can be useful in scenarios where an entity
+    may have multiple names or aliases.
+  range:
+  - "https://www.w3.org/ns/activitystreams#Application"
+  - "https://www.w3.org/ns/activitystreams#Group"
+  - "https://www.w3.org/ns/activitystreams#Organization"
+  - "https://www.w3.org/ns/activitystreams#Person"
+  - "https://www.w3.org/ns/activitystreams#Service"