@fedify/fedify 1.1.9 → 1.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGES.md +68 -0
- package/esm/federation/collection.js +1 -1
- package/esm/runtime/docloader.js +12 -1
- package/esm/runtime/key.js +3 -3
- package/esm/runtime/url.js +7 -1
- package/esm/sig/http.js +1 -1
- package/esm/sig/ld.js +2 -2
- package/esm/webfinger/lookup.js +21 -1
- package/package.json +1 -1
- package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/_validate_binary_like.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64url.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/hex.d.ts.map +1 -1
- package/types/runtime/docloader.d.ts.map +1 -1
- package/types/runtime/url.d.ts.map +1 -1
- package/types/webfinger/lookup.d.ts.map +1 -1
- /package/esm/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/_validate_binary_like.js +0 -0
- /package/esm/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64.js +0 -0
- /package/esm/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64url.js +0 -0
- /package/esm/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/hex.js +0 -0
- /package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/_validate_binary_like.d.ts +0 -0
- /package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64.d.ts +0 -0
- /package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64url.d.ts +0 -0
- /package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/hex.d.ts +0 -0
package/CHANGES.md
CHANGED
|
@@ -3,6 +3,38 @@
|
|
|
3
3
|
Fedify changelog
|
|
4
4
|
================
|
|
5
5
|
|
|
6
|
+
Version 1.1.11
|
|
7
|
+
--------------
|
|
8
|
+
|
|
9
|
+
Released on January 21, 2025.
|
|
10
|
+
|
|
11
|
+
- Fixed several security vulnerabilities of the `lookupWebFinger()` function.
|
|
12
|
+
[[CVE-2025-23221]]
|
|
13
|
+
|
|
14
|
+
- Fixed a security vulnerability where the `lookupWebFinger()` function
|
|
15
|
+
had followed the infinite number of redirects, which could lead to
|
|
16
|
+
a denial of service attack. Now it follows up to 5 redirects.
|
|
17
|
+
|
|
18
|
+
- Fixed a security vulnerability where the `lookupWebFinger()` function
|
|
19
|
+
had followed the redirects to other than the HTTP/HTTPS schemes, which
|
|
20
|
+
could lead to a security breach. Now it follows only the same scheme
|
|
21
|
+
as the original request.
|
|
22
|
+
|
|
23
|
+
- Fixed a security vulnerability where the `lookupWebFinger()` function
|
|
24
|
+
had followed the redirects to the private network addresses, which
|
|
25
|
+
could lead to a SSRF attack. Now it follows only the public network
|
|
26
|
+
addresses.
|
|
27
|
+
|
|
28
|
+
|
|
29
|
+
Version 1.1.10
|
|
30
|
+
--------------
|
|
31
|
+
|
|
32
|
+
Released on December 18, 2024.
|
|
33
|
+
|
|
34
|
+
- Fixed the default document loader to handle the `Link` header with
|
|
35
|
+
incorrect syntax. [[#196]]
|
|
36
|
+
|
|
37
|
+
|
|
6
38
|
Version 1.1.9
|
|
7
39
|
-------------
|
|
8
40
|
|
|
@@ -259,6 +291,42 @@ Released on October 20, 2024.
|
|
|
259
291
|
[#150]: https://github.com/dahlia/fedify/issues/150
|
|
260
292
|
|
|
261
293
|
|
|
294
|
+
Version 1.0.14
|
|
295
|
+
--------------
|
|
296
|
+
|
|
297
|
+
Released on January 21, 2025.
|
|
298
|
+
|
|
299
|
+
- Fixed several security vulnerabilities of the `lookupWebFinger()` function.
|
|
300
|
+
[[CVE-2025-23221]]
|
|
301
|
+
|
|
302
|
+
- Fixed a security vulnerability where the `lookupWebFinger()` function
|
|
303
|
+
had followed the infinite number of redirects, which could lead to
|
|
304
|
+
a denial of service attack. Now it follows up to 5 redirects.
|
|
305
|
+
|
|
306
|
+
- Fixed a security vulnerability where the `lookupWebFinger()` function
|
|
307
|
+
had followed the redirects to other than the HTTP/HTTPS schemes, which
|
|
308
|
+
could lead to a security breach. Now it follows only the same scheme
|
|
309
|
+
as the original request.
|
|
310
|
+
|
|
311
|
+
- Fixed a security vulnerability where the `lookupWebFinger()` function
|
|
312
|
+
had followed the redirects to the private network addresses, which
|
|
313
|
+
could lead to a SSRF attack. Now it follows only the public network
|
|
314
|
+
addresses.
|
|
315
|
+
|
|
316
|
+
[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
|
|
317
|
+
|
|
318
|
+
|
|
319
|
+
Version 1.0.13
|
|
320
|
+
--------------
|
|
321
|
+
|
|
322
|
+
Released on December 18, 2024.
|
|
323
|
+
|
|
324
|
+
- Fixed the default document loader to handle the `Link` header with
|
|
325
|
+
incorrect syntax. [[#196]]
|
|
326
|
+
|
|
327
|
+
[#196]: https://github.com/dahlia/fedify/issues/196
|
|
328
|
+
|
|
329
|
+
|
|
262
330
|
Version 1.0.12
|
|
263
331
|
--------------
|
|
264
332
|
|
package/esm/runtime/docloader.js
CHANGED
|
@@ -61,7 +61,18 @@ async function getRemoteDocument(url, response, fetch) {
|
|
|
61
61
|
const linkHeader = response.headers.get("Link");
|
|
62
62
|
let contextUrl = null;
|
|
63
63
|
if (linkHeader != null) {
|
|
64
|
-
|
|
64
|
+
let link;
|
|
65
|
+
try {
|
|
66
|
+
link = new HTTPHeaderLink(linkHeader);
|
|
67
|
+
}
|
|
68
|
+
catch (e) {
|
|
69
|
+
if (e instanceof SyntaxError) {
|
|
70
|
+
link = new HTTPHeaderLink();
|
|
71
|
+
}
|
|
72
|
+
else {
|
|
73
|
+
throw e;
|
|
74
|
+
}
|
|
75
|
+
}
|
|
65
76
|
if (jsonLd) {
|
|
66
77
|
const entries = link.getByRel("http://www.w3.org/ns/json-ld#context");
|
|
67
78
|
for (const [uri, params] of entries) {
|
package/esm/runtime/key.js
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import * as dntShim from "../_dnt.shims.js";
|
|
2
2
|
import { createPublicKey } from "node:crypto";
|
|
3
3
|
import { concat } from "../deps/jsr.io/@std/bytes/1.0.4/concat.js";
|
|
4
|
-
import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.
|
|
5
|
-
import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/1.0.
|
|
6
|
-
import { decodeHex } from "../deps/jsr.io/@std/encoding/1.0.
|
|
4
|
+
import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
|
|
5
|
+
import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/1.0.6/base64url.js";
|
|
6
|
+
import { decodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
|
|
7
7
|
import { Integer, Sequence } from "asn1js";
|
|
8
8
|
import { decode, encode } from "multibase";
|
|
9
9
|
import { addPrefix, getCodeFromData, rmPrefix } from "multicodec";
|
package/esm/runtime/url.js
CHANGED
|
@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
|
|
|
38
38
|
}
|
|
39
39
|
// To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
|
|
40
40
|
// and ensure that they are all public:
|
|
41
|
-
|
|
41
|
+
let addresses;
|
|
42
|
+
try {
|
|
43
|
+
addresses = await lookup(hostname, { all: true });
|
|
44
|
+
}
|
|
45
|
+
catch {
|
|
46
|
+
addresses = [];
|
|
47
|
+
}
|
|
42
48
|
for (const { address, family } of addresses) {
|
|
43
49
|
if (family === 4 && !isValidPublicIPv4Address(address) ||
|
|
44
50
|
family === 6 && !isValidPublicIPv6Address(address) ||
|
package/esm/sig/http.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import * as dntShim from "../_dnt.shims.js";
|
|
2
2
|
import { getLogger } from "@logtape/logtape";
|
|
3
3
|
import { equals } from "../deps/jsr.io/@std/bytes/1.0.4/mod.js";
|
|
4
|
-
import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.
|
|
4
|
+
import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
|
|
5
5
|
import { CryptographicKey } from "../vocab/vocab.js";
|
|
6
6
|
import { fetchKey, validateCryptoKey } from "./key.js";
|
|
7
7
|
/**
|
package/esm/sig/ld.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import * as dntShim from "../_dnt.shims.js";
|
|
2
2
|
import { getLogger } from "@logtape/logtape";
|
|
3
|
-
import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.
|
|
4
|
-
import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.
|
|
3
|
+
import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
|
|
4
|
+
import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
|
|
5
5
|
// @ts-ignore TS7016
|
|
6
6
|
import jsonld from "jsonld";
|
|
7
7
|
import { fetchDocumentLoader, } from "../runtime/docloader.js";
|
package/esm/webfinger/lookup.js
CHANGED
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import { getLogger } from "@logtape/logtape";
|
|
2
|
+
import { validatePublicUrl } from "../runtime/url.js";
|
|
2
3
|
const logger = getLogger(["fedify", "webfinger", "lookup"]);
|
|
4
|
+
const MAX_REDIRECTION = 5; // TODO: Make this configurable.
|
|
3
5
|
/**
|
|
4
6
|
* Looks up a WebFinger resource.
|
|
5
7
|
* @param resource The resource URL to look up.
|
|
@@ -25,9 +27,11 @@ export async function lookupWebFinger(resource) {
|
|
|
25
27
|
}
|
|
26
28
|
let url = new URL(`${protocol}//${server}/.well-known/webfinger`);
|
|
27
29
|
url.searchParams.set("resource", resource.href);
|
|
30
|
+
let redirected = 0;
|
|
28
31
|
while (true) {
|
|
29
32
|
logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });
|
|
30
33
|
let response;
|
|
34
|
+
await validatePublicUrl(url.href);
|
|
31
35
|
try {
|
|
32
36
|
response = await fetch(url, {
|
|
33
37
|
headers: { Accept: "application/jrd+json" },
|
|
@@ -40,7 +44,23 @@ export async function lookupWebFinger(resource) {
|
|
|
40
44
|
}
|
|
41
45
|
if (response.status >= 300 && response.status < 400 &&
|
|
42
46
|
response.headers.has("Location")) {
|
|
43
|
-
|
|
47
|
+
redirected++;
|
|
48
|
+
if (redirected >= MAX_REDIRECTION) {
|
|
49
|
+
logger.error("Too many redirections ({redirections}) while fetching WebFinger " +
|
|
50
|
+
"resource descriptor.", { redirections: redirected });
|
|
51
|
+
return null;
|
|
52
|
+
}
|
|
53
|
+
const redirectedUrl = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
|
|
54
|
+
if (redirectedUrl.protocol !== url.protocol) {
|
|
55
|
+
logger.error("Redirected to a different protocol ({protocol} to " +
|
|
56
|
+
"{redirectedProtocol}) while fetching WebFinger resource " +
|
|
57
|
+
"descriptor.", {
|
|
58
|
+
protocol: url.protocol,
|
|
59
|
+
redirectedProtocol: redirectedUrl.protocol,
|
|
60
|
+
});
|
|
61
|
+
return null;
|
|
62
|
+
}
|
|
63
|
+
url = redirectedUrl;
|
|
44
64
|
continue;
|
|
45
65
|
}
|
|
46
66
|
if (!response.ok) {
|
package/package.json
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"_validate_binary_like.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.
|
|
1
|
+
{"version":3,"file":"_validate_binary_like.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/_validate_binary_like.ts"],"names":[],"mappings":"AAeA,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG,UAAU,CAa9D"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"base64.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.
|
|
1
|
+
{"version":3,"file":"base64.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/base64.ts"],"names":[],"mappings":"AA6FA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAmC5E;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAQpD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.
|
|
1
|
+
{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/base64url.ts"],"names":[],"mappings":"AA4CA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,GACtC,MAAM,CAER;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAE1D"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hex.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.
|
|
1
|
+
{"version":3,"file":"hex.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/hex.ts"],"names":[],"mappings":"AAwDA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,WAAW,GAAG,MAAM,CAUxE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAiBjD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;
|
|
1
|
+
{"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AA6ID;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,mBAAmB,GAAE,OAAe,GACnC,OAAO,CAAC,cAAc,CAAC,CA0CzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,EACvD,mBAAmB,GAAE,OAAe,GACnC,cAAc,CAgChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAKA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0ClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAMnD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA2FpC"}
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|