@fedify/fedify 1.3.19 → 1.3.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGES.md +15 -0
- package/esm/deno.js +2 -2
- package/esm/federation/handler.js +15 -15
- package/esm/vocab/vocab.js +173 -173
- package/package.json +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.d.ts.map +1 -1
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.js +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.d.ts +0 -0
package/CHANGES.md
CHANGED
|
@@ -3,6 +3,21 @@
|
|
|
3
3
|
Fedify changelog
|
|
4
4
|
================
|
|
5
5
|
|
|
6
|
+
Version 1.3.20
|
|
7
|
+
--------------
|
|
8
|
+
|
|
9
|
+
Released on August 8, 2025.
|
|
10
|
+
|
|
11
|
+
- Fixed a critical authentication bypass vulnerability in the inbox handler
|
|
12
|
+
that allowed unauthenticated attackers to impersonate any ActivityPub actor.
|
|
13
|
+
The vulnerability occurred because activities were processed before
|
|
14
|
+
verifying that the HTTP Signatures key belonged to the claimed actor.
|
|
15
|
+
Now authentication verification is performed before activity processing to
|
|
16
|
+
prevent actor impersonation attacks. [[CVE-2025-54888]]
|
|
17
|
+
|
|
18
|
+
[CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
|
|
19
|
+
|
|
20
|
+
|
|
6
21
|
Version 1.3.19
|
|
7
22
|
--------------
|
|
8
23
|
|
package/esm/deno.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
export default {
|
|
2
2
|
"name": "@fedify/fedify",
|
|
3
|
-
"version": "1.3.
|
|
3
|
+
"version": "1.3.20",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"exports": {
|
|
6
6
|
".": "./mod.ts",
|
|
@@ -37,7 +37,7 @@ export default {
|
|
|
37
37
|
"@opentelemetry/semantic-conventions": "npm:@opentelemetry/semantic-conventions@^1.27.0",
|
|
38
38
|
"@phensley/language-tag": "npm:@phensley/language-tag@^1.9.0",
|
|
39
39
|
"@std/assert": "jsr:@std/assert@^0.226.0",
|
|
40
|
-
"@std/async": "jsr:@std/async
|
|
40
|
+
"@std/async": "jsr:@std/async@1.0.13",
|
|
41
41
|
"@std/bytes": "jsr:@std/bytes@^1.0.2",
|
|
42
42
|
"@std/collections": "jsr:@std/collections@^1.0.6",
|
|
43
43
|
"@std/encoding": "jsr:@std/encoding@1.0.7",
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { getLogger } from "@logtape/logtape";
|
|
2
2
|
import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
|
|
3
|
-
import { accepts } from "../deps/jsr.io/@std/http/1.0.
|
|
3
|
+
import { accepts } from "../deps/jsr.io/@std/http/1.0.20/negotiation.js";
|
|
4
4
|
import metadata from "../deno.js";
|
|
5
5
|
import { verifyRequest } from "../sig/http.js";
|
|
6
6
|
import { detachSignature, verifyJsonLd } from "../sig/ld.js";
|
|
@@ -418,20 +418,6 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
|
|
|
418
418
|
span.setAttribute("activitypub.activity.id", activity.id.href);
|
|
419
419
|
}
|
|
420
420
|
span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
|
|
421
|
-
const routeResult = await routeActivity({
|
|
422
|
-
context: ctx,
|
|
423
|
-
json,
|
|
424
|
-
activity,
|
|
425
|
-
recipient,
|
|
426
|
-
inboxListeners,
|
|
427
|
-
inboxContextFactory,
|
|
428
|
-
inboxErrorHandler,
|
|
429
|
-
kv,
|
|
430
|
-
kvPrefixes,
|
|
431
|
-
queue,
|
|
432
|
-
span,
|
|
433
|
-
tracerProvider,
|
|
434
|
-
});
|
|
435
421
|
if (httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)) {
|
|
436
422
|
logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
|
|
437
423
|
activity: json,
|
|
@@ -449,6 +435,20 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
|
|
|
449
435
|
headers: { "Content-Type": "text/plain; charset=utf-8" },
|
|
450
436
|
});
|
|
451
437
|
}
|
|
438
|
+
const routeResult = await routeActivity({
|
|
439
|
+
context: ctx,
|
|
440
|
+
json,
|
|
441
|
+
activity,
|
|
442
|
+
recipient,
|
|
443
|
+
inboxListeners,
|
|
444
|
+
inboxContextFactory,
|
|
445
|
+
inboxErrorHandler,
|
|
446
|
+
kv,
|
|
447
|
+
kvPrefixes,
|
|
448
|
+
queue,
|
|
449
|
+
span,
|
|
450
|
+
tracerProvider,
|
|
451
|
+
});
|
|
452
452
|
if (routeResult === "alreadyProcessed") {
|
|
453
453
|
return new Response(`Activity <${activity.id}> has already been processed.`, {
|
|
454
454
|
status: 202,
|