@fedify/fedify 1.4.0-dev.598 → 1.4.0-dev.607

package/CHANGES.md

@@ -17,6 +17,20 @@ To be released.
      -  Added `ActorCallbackSetters.mapAlias()` method.
      -  Added `ActorAliasMapper` type.
 
+ -  Added `shares` property to `Object` class in Activity Vocabulary API.
+
+     -  Added `Object.sharesId` property.
+     -  Added `Object.getShares()` method.
+     -  `new Object()` constructor now accepts `shares` option.
+     -  `Object.clone()` method now accepts `shares` option.
+
+ -  Added `likes` property to `Object` class in Activity Vocabulary API.
+
+     -  Added `Object.likesId` property.
+     -  Added `Object.getLikes()` method.
+     -  `new Object()` constructor now accepts `likes` option.
+     -  `Object.clone()` method now accepts `likes` option.
+
  -  Added `emojiReactions` property to `Object` class in Activity Vocabulary
     API.
 
@@ -34,6 +48,29 @@ To be released.
 [#195]: https://github.com/dahlia/fedify/issues/195
 
 
+Version 1.3.4
+-------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.3.3
 -------------
 
@@ -178,6 +215,29 @@ Released on November 30, 2024.
 [#193]: https://github.com/dahlia/fedify/issues/193
 
 
+Version 1.2.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.2.10
 --------------
 
@@ -402,6 +462,29 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.1.10
 --------------
 
@@ -667,6 +750,31 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.14
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
+
+
 Version 1.0.13
 --------------
 

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright 2024 Hong Minhee
+Copyright 2024–2025 Hong Minhee
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.4.0-dev.598+fbf64060",
+    "version": "1.4.0-dev.607+b9f34f48",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",

package/esm/runtime/url.js

@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
     }
     // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
     // and ensure that they are all public:
-    const addresses = await lookup(hostname, { all: true });
+    let addresses;
+    try {
+        addresses = await lookup(hostname, { all: true });
+    }
+    catch {
+        addresses = [];
+    }
     for (const { address, family } of addresses) {
         if (family === 4 && !isValidPublicIPv4Address(address) ||
             family === 6 && !isValidPublicIPv6Address(address) ||

package/esm/vocab/object.yaml

@@ -202,6 +202,38 @@ properties:
   range:
   - "https://www.w3.org/ns/activitystreams#Collection"
 
+- singularName: shares
+  functional: true
+  compactName: shares
+  uri: "https://www.w3.org/ns/activitystreams#shares"
+  description: |
+    Every object *may* have a `shares` collection. This is a list of all
+    {@link Announce} activities with this object as the `object` property,
+    added as a [side effect]. The `shares` collection *must* be either
+    an {@link OrderedCollection} or a {@link Collection} and *may* be filtered
+    on privileges of an authenticated user or as appropriate
+    when no authentication is given.
+
+    [side effect]: https://www.w3.org/TR/activitypub/#announce-activity-inbox
+  range:
+  - "https://www.w3.org/ns/activitystreams#Collection"
+
+- singularName: likes
+  functional: true
+  compactName: likes
+  uri: "https://www.w3.org/ns/activitystreams#likes"
+  description: |
+    Every object *may* have a `likes` collection. This is a list of all
+    {@link Like} activities with this object as the `object` property,
+    added as a [side effect]. The `likes` collection *must* be either
+    an {@link OrderedCollection} or a {@link Collection} and *may* be filtered
+    on privileges of an authenticated user or as appropriate
+    when no authentication is given.
+
+    [side effect]: https://www.w3.org/TR/activitypub/#announce-activity-inbox
+  range:
+  - "https://www.w3.org/ns/activitystreams#Collection"
+
 - singularName: emojiReactions
   functional: true
   compactName: emojiReactions