@fedify/fedify 1.4.0-dev.599 → 1.4.0-dev.610

package/CHANGES.md

@@ -39,6 +39,8 @@ To be released.
      -  `new Object()` constructor now accepts `emojiReactions` option.
      -  `Object.clone()` method now accepts `emojiReactions` option.
 
+ -  Added `allowPrivateAddress` option to `LookupWebFingerOptions` interface.
+
  -  Added `-t`/`--traverse` option to the `fedify lookup` subcommand.  [[#195]]
 
  -  Added `-S`/`--suppress-errors` option to the `fedify lookup` subcommand.
@@ -48,6 +50,43 @@ To be released.
 [#195]: https://github.com/dahlia/fedify/issues/195
 
 
+Version 1.3.5
+-------------
+
+Released on January 21, 2025.
+
+ -  Fixed a bug where `CreateFederationOptions.allowPrivateAddress` option had
+    been ignored by the `Context.lookupObject()` method when it had taken
+    a fediverse handle.
+
+ -  The `lookupWebFinger()` function became to silently return `null` when
+    it fails to fetch the WebFinger document due to accessing a private network
+    address, instead of throwing a `UrlError`.
+
+
+Version 1.3.4
+-------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.3.3
 -------------
 
@@ -192,6 +231,29 @@ Released on November 30, 2024.
 [#193]: https://github.com/dahlia/fedify/issues/193
 
 
+Version 1.2.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.2.10
 --------------
 
@@ -416,6 +478,29 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.1.10
 --------------
 
@@ -681,6 +766,31 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.14
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
+
+
 Version 1.0.13
 --------------
 

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.4.0-dev.599+72b4d6d0",
+    "version": "1.4.0-dev.610+beefd859",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",

package/esm/federation/middleware.js

@@ -58,6 +58,7 @@ export class FederationImpl {
     documentLoader;
     contextLoader;
     authenticatedDocumentLoaderFactory;
+    allowPrivateAddress;
     userAgent;
     onOutboxError;
     signatureTimeWindow;
@@ -112,6 +113,7 @@ export class FederationImpl {
             }
         }
         const { allowPrivateAddress, userAgent } = options;
+        this.allowPrivateAddress = allowPrivateAddress ?? false;
         this.documentLoader = options.documentLoader ?? kvCache({
             loader: getDocumentLoader({ allowPrivateAddress, userAgent }),
             kv: options.kv,
@@ -1826,6 +1828,8 @@ export class ContextImpl {
             contextLoader: options.contextLoader ?? this.contextLoader,
             userAgent: options.userAgent ?? this.federation.userAgent,
             tracerProvider: options.tracerProvider ?? this.tracerProvider,
+            // @ts-ignore: `allowPrivateAddress` is not in the type definition.
+            allowPrivateAddress: this.federation.allowPrivateAddress,
         });
     }
     traverseCollection(collection, options = {}) {

package/esm/runtime/url.js

@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
     }
     // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
     // and ensure that they are all public:
-    const addresses = await lookup(hostname, { all: true });
+    let addresses;
+    try {
+        addresses = await lookup(hostname, { all: true });
+    }
+    catch {
+        addresses = [];
+    }
     for (const { address, family } of addresses) {
         if (family === 4 && !isValidPublicIPv4Address(address) ||
             family === 6 && !isValidPublicIPv6Address(address) ||

package/esm/vocab/lookup.js

@@ -95,6 +95,8 @@ async function lookupObjectInternal(identifier, options = {}) {
         const jrd = await lookupWebFinger(identifier, {
             userAgent: options.userAgent,
             tracerProvider: options.tracerProvider,
+            allowPrivateAddress: "allowPrivateAddress" in options &&
+                options.allowPrivateAddress === true,
         });
         if (jrd?.links == null)
             return null;