@fedify/fedify 0.9.2 → 0.9.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. package/CHANGES.md +15 -0
  2. package/esm/runtime/url.js +9 -5
  3. package/package.json +1 -1
  4. package/types/runtime/url.d.ts.map +1 -1
package/CHANGES.md CHANGED
@@ -3,6 +3,21 @@
3
3
  Fedify changelog
4
4
  ================
5
5
 
6
+ Version 0.9.3
7
+ -------------
8
+
9
+ Released on July 9, 2024.
10
+
11
+ - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
12
+ loader. [[CVE-2024-39687]]
13
+
14
+ - The `fetchDocumentLoader()` function now throws an error when the given
15
+ domain name has any records referring to a private network address.
16
+ - The `getAuthenticatedDocumentLoader()` function now returns a document
17
+ loader that throws an error when the given domain name has any records
18
+ referring to a private network address.
19
+
20
+
6
21
  Version 0.9.2
7
22
  -------------
8
23
 
package/esm/runtime/url.js CHANGED
@@ -30,11 +30,15 @@ export async function validatePublicUrl(url) {
30
30
  if (netPermission.state !== "granted")
31
31
  return;
32
32
  }
33
- const { address, family } = await lookup(hostname);
34
- if (family === 4 && !isValidPublicIPv4Address(address) ||
35
- family === 6 && !isValidPublicIPv6Address(address) ||
36
- family < 4 || family === 5 || family > 6) {
37
- throw new UrlError(`Invalid or private address: ${address}`);
33
+ // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
34
+ // and ensure that they are all public:
35
+ const addresses = await lookup(hostname, { all: true });
36
+ for (const { address, family } of addresses) {
37
+ if (family === 4 && !isValidPublicIPv4Address(address) ||
38
+ family === 6 && !isValidPublicIPv6Address(address) ||
39
+ family < 4 || family === 5 || family > 6) {
40
+ throw new UrlError(`Invalid or private address: ${address}`);
41
+ }
38
42
  }
39
43
  }
40
44
  export function isValidPublicIPv4Address(address) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fedify/fedify",
3
- "version": "0.9.2",
3
+ "version": "0.9.3",
4
4
  "description": "An ActivityPub server framework",
5
5
  "keywords": [
6
6
  "ActivityPub",
package/types/runtime/url.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BlE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
1
+ {"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BlE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}