@fedify/fedify 0.9.2 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGES.md +15 -0
  2. package/esm/runtime/url.js +9 -5
  3. package/package.json +1 -1
  4. package/types/runtime/url.d.ts.map +1 -1
package/CHANGES.md CHANGED
@@ -3,6 +3,21 @@
3
3
  Fedify changelog
4
4
  ================
5
5
 
6
+ Version 0.9.3
7
+ -------------
8
+
9
+ Released on July 9, 2024.
10
+
11
+ - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
12
+ loader. [[CVE-2024-39687]]
13
+
14
+ - The `fetchDocumentLoader()` function now throws an error when the given
15
+ domain name has any records referring to a private network address.
16
+ - The `getAuthenticatedDocumentLoader()` function now returns a document
17
+ loader that throws an error when the given domain name has any records
18
+ referring to a private network address.
19
+
20
+
6
21
  Version 0.9.2
7
22
  -------------
8
23
 
package/esm/runtime/url.js CHANGED
@@ -30,11 +30,15 @@ export async function validatePublicUrl(url) {
30
30
  if (netPermission.state !== "granted")
31
31
  return;
32
32
  }
33
- const { address, family } = await lookup(hostname);
34
- if (family === 4 && !isValidPublicIPv4Address(address) ||
35
- family === 6 && !isValidPublicIPv6Address(address) ||
36
- family < 4 || family === 5 || family > 6) {
37
- throw new UrlError(`Invalid or private address: ${address}`);
33
+ // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
34
+ // and ensure that they are all public:
35
+ const addresses = await lookup(hostname, { all: true });
36
+ for (const { address, family } of addresses) {
37
+ if (family === 4 && !isValidPublicIPv4Address(address) ||
38
+ family === 6 && !isValidPublicIPv6Address(address) ||
39
+ family < 4 || family === 5 || family > 6) {
40
+ throw new UrlError(`Invalid or private address: ${address}`);
41
+ }
38
42
  }
39
43
  }
40
44
  export function isValidPublicIPv4Address(address) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fedify/fedify",
3
- "version": "0.9.2",
3
+ "version": "0.9.3",
4
4
  "description": "An ActivityPub server framework",
5
5
  "keywords": [
6
6
  "ActivityPub",
package/types/runtime/url.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BlE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
1
+ {"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BlE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}