@fedify/fedify 1.1.10 → 1.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGES.md +48 -0
  2. package/esm/runtime/url.js +7 -1
  3. package/esm/webfinger/lookup.js +21 -1
  4. package/package.json +1 -1
  5. package/types/runtime/url.d.ts.map +1 -1
  6. package/types/webfinger/lookup.d.ts.map +1 -1
package/CHANGES.md CHANGED
@@ -3,6 +3,29 @@
3
3
  Fedify changelog
4
4
  ================
5
5
 
6
+ Version 1.1.11
7
+ --------------
8
+
9
+ Released on January 21, 2025.
10
+
11
+ - Fixed several security vulnerabilities of the `lookupWebFinger()` function.
12
+ [[CVE-2025-23221]]
13
+
14
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
15
+ had followed the infinite number of redirects, which could lead to
16
+ a denial of service attack. Now it follows up to 5 redirects.
17
+
18
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
19
+ had followed the redirects to other than the HTTP/HTTPS schemes, which
20
+ could lead to a security breach. Now it follows only the same scheme
21
+ as the original request.
22
+
23
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
24
+ had followed the redirects to the private network addresses, which
25
+ could lead to a SSRF attack. Now it follows only the public network
26
+ addresses.
27
+
28
+
6
29
  Version 1.1.10
7
30
  --------------
8
31
 
@@ -268,6 +291,31 @@ Released on October 20, 2024.
268
291
  [#150]: https://github.com/dahlia/fedify/issues/150
269
292
 
270
293
 
294
+ Version 1.0.14
295
+ --------------
296
+
297
+ Released on January 21, 2025.
298
+
299
+ - Fixed several security vulnerabilities of the `lookupWebFinger()` function.
300
+ [[CVE-2025-23221]]
301
+
302
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
303
+ had followed the infinite number of redirects, which could lead to
304
+ a denial of service attack. Now it follows up to 5 redirects.
305
+
306
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
307
+ had followed the redirects to other than the HTTP/HTTPS schemes, which
308
+ could lead to a security breach. Now it follows only the same scheme
309
+ as the original request.
310
+
311
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
312
+ had followed the redirects to the private network addresses, which
313
+ could lead to a SSRF attack. Now it follows only the public network
314
+ addresses.
315
+
316
+ [CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
317
+
318
+
271
319
  Version 1.0.13
272
320
  --------------
273
321
 
package/esm/runtime/url.js CHANGED
@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
38
38
  }
39
39
  // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
40
40
  // and ensure that they are all public:
41
- const addresses = await lookup(hostname, { all: true });
41
+ let addresses;
42
+ try {
43
+ addresses = await lookup(hostname, { all: true });
44
+ }
45
+ catch {
46
+ addresses = [];
47
+ }
42
48
  for (const { address, family } of addresses) {
43
49
  if (family === 4 && !isValidPublicIPv4Address(address) ||
44
50
  family === 6 && !isValidPublicIPv6Address(address) ||
package/esm/webfinger/lookup.js CHANGED
@@ -1,5 +1,7 @@
1
1
  import { getLogger } from "@logtape/logtape";
2
+ import { validatePublicUrl } from "../runtime/url.js";
2
3
  const logger = getLogger(["fedify", "webfinger", "lookup"]);
4
+ const MAX_REDIRECTION = 5; // TODO: Make this configurable.
3
5
  /**
4
6
  * Looks up a WebFinger resource.
5
7
  * @param resource The resource URL to look up.
@@ -25,9 +27,11 @@ export async function lookupWebFinger(resource) {
25
27
  }
26
28
  let url = new URL(`${protocol}//${server}/.well-known/webfinger`);
27
29
  url.searchParams.set("resource", resource.href);
30
+ let redirected = 0;
28
31
  while (true) {
29
32
  logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });
30
33
  let response;
34
+ await validatePublicUrl(url.href);
31
35
  try {
32
36
  response = await fetch(url, {
33
37
  headers: { Accept: "application/jrd+json" },
@@ -40,7 +44,23 @@ export async function lookupWebFinger(resource) {
40
44
  }
41
45
  if (response.status >= 300 && response.status < 400 &&
42
46
  response.headers.has("Location")) {
43
- url = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
47
+ redirected++;
48
+ if (redirected >= MAX_REDIRECTION) {
49
+ logger.error("Too many redirections ({redirections}) while fetching WebFinger " +
50
+ "resource descriptor.", { redirections: redirected });
51
+ return null;
52
+ }
53
+ const redirectedUrl = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
54
+ if (redirectedUrl.protocol !== url.protocol) {
55
+ logger.error("Redirected to a different protocol ({protocol} to " +
56
+ "{redirectedProtocol}) while fetching WebFinger resource " +
57
+ "descriptor.", {
58
+ protocol: url.protocol,
59
+ redirectedProtocol: redirectedUrl.protocol,
60
+ });
61
+ return null;
62
+ }
63
+ url = redirectedUrl;
44
64
  continue;
45
65
  }
46
66
  if (!response.ok) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fedify/fedify",
3
- "version": "1.1.10",
3
+ "version": "1.1.11",
4
4
  "description": "An ActivityPub server framework",
5
5
  "keywords": [
6
6
  "ActivityPub",
package/types/runtime/url.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
1
+ {"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAKA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0ClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
package/types/webfinger/lookup.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAmEpC"}
1
+ {"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAMnD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA2FpC"}