@fedify/fedify 1.3.2 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/CHANGES.md +103 -0
  2. package/LICENSE +1 -1
  3. package/esm/deno.js +1 -1
  4. package/esm/runtime/contexts.js +33 -0
  5. package/esm/runtime/url.js +7 -1
  6. package/esm/vocab/vocab.js +173 -173
  7. package/esm/webfinger/lookup.js +21 -1
  8. package/package.json +1 -1
  9. package/types/runtime/contexts.d.ts.map +1 -1
  10. package/types/runtime/url.d.ts.map +1 -1
  11. package/types/webfinger/lookup.d.ts.map +1 -1
package/CHANGES.md CHANGED
@@ -3,6 +3,38 @@
3
3
  Fedify changelog
4
4
  ================
5
5
 
6
+ Version 1.3.4
7
+ -------------
8
+
9
+ Released on January 21, 2025.
10
+
11
+ - Fixed several security vulnerabilities of the `lookupWebFinger()` function.
12
+ [[CVE-2025-23221]]
13
+
14
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
15
+ had followed the infinite number of redirects, which could lead to
16
+ a denial of service attack. Now it follows up to 5 redirects.
17
+
18
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
19
+ had followed the redirects to other than the HTTP/HTTPS schemes, which
20
+ could lead to a security breach. Now it follows only the same scheme
21
+ as the original request.
22
+
23
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
24
+ had followed the redirects to the private network addresses, which
25
+ could lead to a SSRF attack. Now it follows only the public network
26
+ addresses.
27
+
28
+
29
+ Version 1.3.3
30
+ -------------
31
+
32
+ Released on December 30, 2024.
33
+
34
+ - The `fetchDocumentLoader()` function now preloads the following JSON-LD
35
+ context: <https://gotosocial.org/ns>.
36
+
37
+
6
38
  Version 1.3.2
7
39
  -------------
8
40
 
@@ -138,6 +170,29 @@ Released on November 30, 2024.
138
170
  [#193]: https://github.com/dahlia/fedify/issues/193
139
171
 
140
172
 
173
+ Version 1.2.11
174
+ --------------
175
+
176
+ Released on January 21, 2025.
177
+
178
+ - Fixed several security vulnerabilities of the `lookupWebFinger()` function.
179
+ [[CVE-2025-23221]]
180
+
181
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
182
+ had followed the infinite number of redirects, which could lead to
183
+ a denial of service attack. Now it follows up to 5 redirects.
184
+
185
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
186
+ had followed the redirects to other than the HTTP/HTTPS schemes, which
187
+ could lead to a security breach. Now it follows only the same scheme
188
+ as the original request.
189
+
190
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
191
+ had followed the redirects to the private network addresses, which
192
+ could lead to a SSRF attack. Now it follows only the public network
193
+ addresses.
194
+
195
+
141
196
  Version 1.2.10
142
197
  --------------
143
198
 
@@ -362,6 +417,29 @@ Released on October 31, 2024.
362
417
  [#118]: https://github.com/dahlia/fedify/issues/118
363
418
 
364
419
 
420
+ Version 1.1.11
421
+ --------------
422
+
423
+ Released on January 21, 2025.
424
+
425
+ - Fixed several security vulnerabilities of the `lookupWebFinger()` function.
426
+ [[CVE-2025-23221]]
427
+
428
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
429
+ had followed the infinite number of redirects, which could lead to
430
+ a denial of service attack. Now it follows up to 5 redirects.
431
+
432
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
433
+ had followed the redirects to other than the HTTP/HTTPS schemes, which
434
+ could lead to a security breach. Now it follows only the same scheme
435
+ as the original request.
436
+
437
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
438
+ had followed the redirects to the private network addresses, which
439
+ could lead to a SSRF attack. Now it follows only the public network
440
+ addresses.
441
+
442
+
365
443
  Version 1.1.10
366
444
  --------------
367
445
 
@@ -627,6 +705,31 @@ Released on October 20, 2024.
627
705
  [#150]: https://github.com/dahlia/fedify/issues/150
628
706
 
629
707
 
708
+ Version 1.0.14
709
+ --------------
710
+
711
+ Released on January 21, 2025.
712
+
713
+ - Fixed several security vulnerabilities of the `lookupWebFinger()` function.
714
+ [[CVE-2025-23221]]
715
+
716
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
717
+ had followed the infinite number of redirects, which could lead to
718
+ a denial of service attack. Now it follows up to 5 redirects.
719
+
720
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
721
+ had followed the redirects to other than the HTTP/HTTPS schemes, which
722
+ could lead to a security breach. Now it follows only the same scheme
723
+ as the original request.
724
+
725
+ - Fixed a security vulnerability where the `lookupWebFinger()` function
726
+ had followed the redirects to the private network addresses, which
727
+ could lead to a SSRF attack. Now it follows only the public network
728
+ addresses.
729
+
730
+ [CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
731
+
732
+
630
733
  Version 1.0.13
631
734
  --------------
632
735
 
package/LICENSE CHANGED
@@ -1,6 +1,6 @@
1
1
  MIT License
2
2
 
3
- Copyright 2024 Hong Minhee
3
+ Copyright 2024–2025 Hong Minhee
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy of
6
6
  this software and associated documentation files (the "Software"), to deal in
package/esm/deno.js CHANGED
@@ -1,6 +1,6 @@
1
1
  export default {
2
2
  "name": "@fedify/fedify",
3
- "version": "1.3.2",
3
+ "version": "1.3.4",
4
4
  "license": "MIT",
5
5
  "exports": {
6
6
  ".": "./mod.ts",
package/esm/runtime/contexts.js CHANGED
@@ -4154,5 +4154,38 @@ const preloadedContexts = {
4154
4154
  "yield": { "@id": "schema:yield" },
4155
4155
  },
4156
4156
  },
4157
+ "https://gotosocial.org/ns": {
4158
+ "@context": {
4159
+ "gts": "https://gotosocial.org/ns#",
4160
+ "interactionPolicy": {
4161
+ "@id": "gts:interactionPolicy",
4162
+ "@type": "@id",
4163
+ },
4164
+ "canLike": {
4165
+ "@id": "gts:canLike",
4166
+ "@type": "@id",
4167
+ },
4168
+ "canReply": {
4169
+ "@id": "gts:canReply",
4170
+ "@type": "@id",
4171
+ },
4172
+ "canAnnounce": {
4173
+ "@id": "gts:canAnnounce",
4174
+ "@type": "@id",
4175
+ },
4176
+ "always": {
4177
+ "@id": "gts:always",
4178
+ "@type": "@id",
4179
+ },
4180
+ "approvalRequired": {
4181
+ "@id": "gts:approvalRequired",
4182
+ "@type": "@id",
4183
+ },
4184
+ "approvedBy": {
4185
+ "@id": "gts:approvedBy",
4186
+ "@type": "@id",
4187
+ },
4188
+ },
4189
+ },
4157
4190
  };
4158
4191
  export default preloadedContexts;
package/esm/runtime/url.js CHANGED
@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
38
38
  }
39
39
  // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
40
40
  // and ensure that they are all public:
41
- const addresses = await lookup(hostname, { all: true });
41
+ let addresses;
42
+ try {
43
+ addresses = await lookup(hostname, { all: true });
44
+ }
45
+ catch {
46
+ addresses = [];
47
+ }
42
48
  for (const { address, family } of addresses) {
43
49
  if (family === 4 && !isValidPublicIPv4Address(address) ||
44
50
  family === 6 && !isValidPublicIPv6Address(address) ||