npm - @fedify/fedify - Versions diffs - 1.4.0-dev.599 → 1.4.0-dev.607 - Mend

@fedify/fedify 1.4.0-dev.599 → 1.4.0-dev.607

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGES.md +94 -0
package/esm/deno.js +1 -1
package/esm/runtime/url.js +7 -1
package/esm/vocab/vocab.js +176 -176
package/esm/webfinger/lookup.js +21 -1
package/package.json +1 -1
package/types/runtime/url.d.ts.map +1 -1
package/types/webfinger/lookup.d.ts.map +1 -1

package/CHANGES.md CHANGED Viewed

@@ -48,6 +48,29 @@ To be released.
 [#195]: https://github.com/dahlia/fedify/issues/195
+Version 1.3.4
+-------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
 Version 1.3.3
 -------------
@@ -192,6 +215,29 @@ Released on November 30, 2024.
 [#193]: https://github.com/dahlia/fedify/issues/193
+Version 1.2.11
+--------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
 Version 1.2.10
 --------------
@@ -416,6 +462,29 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
+Version 1.1.11
+--------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
 Version 1.1.10
 --------------
@@ -681,6 +750,31 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
+Version 1.0.14
+--------------
+Released on January 21, 2025.
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
 Version 1.0.13
 --------------

package/esm/deno.js CHANGED Viewed

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.4.0-dev.599+72b4d6d0",
+    "version": "1.4.0-dev.607+b9f34f48",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",

package/esm/runtime/url.js CHANGED Viewed

@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
     }
     // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
     // and ensure that they are all public:
-    const addresses = await lookup(hostname, { all: true });
+    let addresses;
+    try {
+        addresses = await lookup(hostname, { all: true });
+    }
+    catch {
+        addresses = [];
+    }
     for (const { address, family } of addresses) {
         if (family === 4 && !isValidPublicIPv4Address(address) ||
             family === 6 && !isValidPublicIPv6Address(address) ||