@fedify/fedify 1.2.9 → 1.2.11

package/CHANGES.md

@@ -3,6 +3,38 @@
 Fedify changelog
 ================
 
+Version 1.2.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
+Version 1.2.10
+--------------
+
+Released on December 18, 2024.
+
+ -  Fixed the default document loader to handle the `Link` header with
+    incorrect syntax.  [[#196]]
+
+
 Version 1.2.9
 -------------
 
@@ -218,6 +250,38 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
+Version 1.1.10
+--------------
+
+Released on December 18, 2024.
+
+ -  Fixed the default document loader to handle the `Link` header with
+    incorrect syntax.  [[#196]]
+
+
 Version 1.1.9
 -------------
 
@@ -474,6 +538,42 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.14
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
+
+
+Version 1.0.13
+--------------
+
+Released on December 18, 2024.
+
+ -  Fixed the default document loader to handle the `Link` header with
+    incorrect syntax.  [[#196]]
+
+[#196]: https://github.com/dahlia/fedify/issues/196
+
+
 Version 1.0.12
 --------------
 

package/esm/federation/collection.js

@@ -1,5 +1,5 @@
 import * as dntShim from "../_dnt.shims.js";
-import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.5/hex.js";
+import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
 /**
  * Calculates the [partial follower collection digest][1].
  *

package/esm/runtime/docloader.js

@@ -61,7 +61,18 @@ async function getRemoteDocument(url, response, fetch) {
     const linkHeader = response.headers.get("Link");
     let contextUrl = null;
     if (linkHeader != null) {
-        const link = new HTTPHeaderLink(linkHeader);
+        let link;
+        try {
+            link = new HTTPHeaderLink(linkHeader);
+        }
+        catch (e) {
+            if (e instanceof SyntaxError) {
+                link = new HTTPHeaderLink();
+            }
+            else {
+                throw e;
+            }
+        }
         if (jsonLd) {
             const entries = link.getByRel("http://www.w3.org/ns/json-ld#context");
             for (const [uri, params] of entries) {

package/esm/runtime/key.js

@@ -1,9 +1,9 @@
 import * as dntShim from "../_dnt.shims.js";
 import { createPublicKey } from "node:crypto";
 import { concat } from "../deps/jsr.io/@std/bytes/1.0.4/concat.js";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.5/base64.js";
-import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/1.0.5/base64url.js";
-import { decodeHex } from "../deps/jsr.io/@std/encoding/1.0.5/hex.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
+import { decodeBase64Url } from "../deps/jsr.io/@std/encoding/1.0.6/base64url.js";
+import { decodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
 import { Integer, Sequence } from "asn1js";
 import { decode, encode } from "multibase";
 import { addPrefix, getCodeFromData, rmPrefix } from "multicodec";

package/esm/runtime/url.js

@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
     }
     // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
     // and ensure that they are all public:
-    const addresses = await lookup(hostname, { all: true });
+    let addresses;
+    try {
+        addresses = await lookup(hostname, { all: true });
+    }
+    catch {
+        addresses = [];
+    }
     for (const { address, family } of addresses) {
         if (family === 4 && !isValidPublicIPv4Address(address) ||
             family === 6 && !isValidPublicIPv6Address(address) ||

package/esm/sig/http.js

@@ -1,7 +1,7 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
 import { equals } from "../deps/jsr.io/@std/bytes/1.0.4/mod.js";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.5/base64.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
 import { CryptographicKey } from "../vocab/vocab.js";
 import { fetchKey, validateCryptoKey } from "./key.js";
 /**

package/esm/sig/ld.js

@@ -1,7 +1,7 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.5/base64.js";
-import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.5/hex.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.6/base64.js";
+import { encodeHex } from "../deps/jsr.io/@std/encoding/1.0.6/hex.js";
 // @ts-ignore TS7016
 import jsonld from "jsonld";
 import { fetchDocumentLoader, } from "../runtime/docloader.js";

package/esm/webfinger/lookup.js

@@ -1,5 +1,7 @@
 import { getLogger } from "@logtape/logtape";
+import { validatePublicUrl } from "../runtime/url.js";
 const logger = getLogger(["fedify", "webfinger", "lookup"]);
+const MAX_REDIRECTION = 5; // TODO: Make this configurable.
 /**
  * Looks up a WebFinger resource.
  * @param resource The resource URL to look up.
@@ -25,9 +27,11 @@ export async function lookupWebFinger(resource) {
     }
     let url = new URL(`${protocol}//${server}/.well-known/webfinger`);
     url.searchParams.set("resource", resource.href);
+    let redirected = 0;
     while (true) {
         logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });
         let response;
+        await validatePublicUrl(url.href);
         try {
             response = await fetch(url, {
                 headers: { Accept: "application/jrd+json" },
@@ -40,7 +44,23 @@ export async function lookupWebFinger(resource) {
         }
         if (response.status >= 300 && response.status < 400 &&
             response.headers.has("Location")) {
-            url = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
+            redirected++;
+            if (redirected >= MAX_REDIRECTION) {
+                logger.error("Too many redirections ({redirections}) while fetching WebFinger " +
+                    "resource descriptor.", { redirections: redirected });
+                return null;
+            }
+            const redirectedUrl = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
+            if (redirectedUrl.protocol !== url.protocol) {
+                logger.error("Redirected to a different protocol ({protocol} to " +
+                    "{redirectedProtocol}) while fetching WebFinger resource " +
+                    "descriptor.", {
+                    protocol: url.protocol,
+                    redirectedProtocol: redirectedUrl.protocol,
+                });
+                return null;
+            }
+            url = redirectedUrl;
             continue;
         }
         if (!response.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "1.2.9",
+  "version": "1.2.11",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/_validate_binary_like.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"_validate_binary_like.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.5/_validate_binary_like.ts"],"names":[],"mappings":"AAeA,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG,UAAU,CAa9D"}
+{"version":3,"file":"_validate_binary_like.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/_validate_binary_like.ts"],"names":[],"mappings":"AAeA,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG,UAAU,CAa9D"}

package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"base64.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.5/base64.ts"],"names":[],"mappings":"AA6FA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAmC5E;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAQpD"}
+{"version":3,"file":"base64.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/base64.ts"],"names":[],"mappings":"AA6FA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAmC5E;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAQpD"}

package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/base64url.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.5/base64url.ts"],"names":[],"mappings":"AA4CA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,GACtC,MAAM,CAER;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAE1D"}
+{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/base64url.ts"],"names":[],"mappings":"AA4CA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,GACtC,MAAM,CAER;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAE1D"}

package/types/deps/jsr.io/@std/encoding/{1.0.5 → 1.0.6}/hex.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hex.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.5/hex.ts"],"names":[],"mappings":"AAwDA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,WAAW,GAAG,MAAM,CAUxE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAiBjD"}
+{"version":3,"file":"hex.d.ts","sourceRoot":"","sources":["../../../../../../src/deps/jsr.io/@std/encoding/1.0.6/hex.ts"],"names":[],"mappings":"AAwDA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,WAAW,GAAG,MAAM,CAUxE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAiBjD"}

package/types/runtime/docloader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AAoID;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,mBAAmB,GAAE,OAAe,GACnC,OAAO,CAAC,cAAc,CAAC,CA0CzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,EACvD,mBAAmB,GAAE,OAAe,GACnC,cAAc,CAgChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}
+{"version":3,"file":"docloader.d.ts","sourceRoot":"","sources":["../../src/runtime/docloader.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQ1D;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,QAAQ,EAAE,OAAO,CAAC;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAEtE;;;;;;;;GAQG;AACH,MAAM,MAAM,kCAAkC,GAAG,CAC/C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,KACpD,cAAc,CAAC;AAEpB;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;;;;OAKG;gBACS,GAAG,EAAE,GAAG,GAAG,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAKhD;AA6ID;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,mBAAmB,GAAE,OAAe,GACnC,OAAO,CAAC,cAAc,CAAC,CA0CzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE;IAAE,KAAK,EAAE,GAAG,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;CAAE,EACvD,mBAAmB,GAAE,OAAe,GACnC,cAAc,CAgChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;IAEf;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;CAC1E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,iBAAiB,GAC/C,cAAc,CA2ChB"}

package/types/runtime/url.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
+{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAKA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0ClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}

package/types/webfinger/lookup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAmEpC"}
+{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAMnD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA2FpC"}