@fedify/fedify 1.5.4 → 1.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGES.md +41 -0
- package/esm/deno.js +2 -2
- package/esm/federation/handler.js +15 -15
- package/esm/vocab/vocab.js +176 -176
- package/package.json +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.d.ts.map +1 -1
- package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.d.ts.map +1 -1
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.js +0 -0
- /package/esm/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.js +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/common.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/encoding.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/language.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/_negotiation/media_type.d.ts +0 -0
- /package/types/deps/jsr.io/@std/http/{1.0.18 → 1.0.20}/negotiation.d.ts +0 -0
package/CHANGES.md
CHANGED
|
@@ -3,6 +3,19 @@
|
|
|
3
3
|
Fedify changelog
|
|
4
4
|
================
|
|
5
5
|
|
|
6
|
+
Version 1.5.5
|
|
7
|
+
-------------
|
|
8
|
+
|
|
9
|
+
Released on August 8, 2025.
|
|
10
|
+
|
|
11
|
+
- Fixed a critical authentication bypass vulnerability in the inbox handler
|
|
12
|
+
that allowed unauthenticated attackers to impersonate any ActivityPub actor.
|
|
13
|
+
The vulnerability occurred because activities were processed before
|
|
14
|
+
verifying that the HTTP Signatures key belonged to the claimed actor.
|
|
15
|
+
Now authentication verification is performed before activity processing to
|
|
16
|
+
prevent actor impersonation attacks. [[CVE-2025-54888]]
|
|
17
|
+
|
|
18
|
+
|
|
6
19
|
Version 1.5.4
|
|
7
20
|
-------------
|
|
8
21
|
|
|
@@ -177,6 +190,19 @@ Released on March 28, 2025.
|
|
|
177
190
|
[multibase]: https://github.com/multiformats/js-multibase
|
|
178
191
|
|
|
179
192
|
|
|
193
|
+
Version 1.4.13
|
|
194
|
+
--------------
|
|
195
|
+
|
|
196
|
+
Released on August 8, 2025.
|
|
197
|
+
|
|
198
|
+
- Fixed a critical authentication bypass vulnerability in the inbox handler
|
|
199
|
+
that allowed unauthenticated attackers to impersonate any ActivityPub actor.
|
|
200
|
+
The vulnerability occurred because activities were processed before
|
|
201
|
+
verifying that the HTTP Signatures key belonged to the claimed actor.
|
|
202
|
+
Now authentication verification is performed before activity processing to
|
|
203
|
+
prevent actor impersonation attacks. [[CVE-2025-54888]]
|
|
204
|
+
|
|
205
|
+
|
|
180
206
|
Version 1.4.12
|
|
181
207
|
--------------
|
|
182
208
|
|
|
@@ -426,6 +452,21 @@ Released on February 5, 2025.
|
|
|
426
452
|
[#195]: https://github.com/fedify-dev/fedify/issues/195
|
|
427
453
|
|
|
428
454
|
|
|
455
|
+
Version 1.3.20
|
|
456
|
+
--------------
|
|
457
|
+
|
|
458
|
+
Released on August 8, 2025.
|
|
459
|
+
|
|
460
|
+
- Fixed a critical authentication bypass vulnerability in the inbox handler
|
|
461
|
+
that allowed unauthenticated attackers to impersonate any ActivityPub actor.
|
|
462
|
+
The vulnerability occurred because activities were processed before
|
|
463
|
+
verifying that the HTTP Signatures key belonged to the claimed actor.
|
|
464
|
+
Now authentication verification is performed before activity processing to
|
|
465
|
+
prevent actor impersonation attacks. [[CVE-2025-54888]]
|
|
466
|
+
|
|
467
|
+
[CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
|
|
468
|
+
|
|
469
|
+
|
|
429
470
|
Version 1.3.19
|
|
430
471
|
--------------
|
|
431
472
|
|
package/esm/deno.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
export default {
|
|
2
2
|
"name": "@fedify/fedify",
|
|
3
|
-
"version": "1.5.
|
|
3
|
+
"version": "1.5.5",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"exports": {
|
|
6
6
|
".": "./mod.ts",
|
|
@@ -26,7 +26,7 @@ export default {
|
|
|
26
26
|
"@opentelemetry/semantic-conventions": "npm:@opentelemetry/semantic-conventions@^1.27.0",
|
|
27
27
|
"@phensley/language-tag": "npm:@phensley/language-tag@^1.9.0",
|
|
28
28
|
"@std/assert": "jsr:@std/assert@^0.226.0",
|
|
29
|
-
"@std/async": "jsr:@std/async
|
|
29
|
+
"@std/async": "jsr:@std/async@1.0.13",
|
|
30
30
|
"@std/bytes": "jsr:@std/bytes@^1.0.2",
|
|
31
31
|
"@std/collections": "jsr:@std/collections@^1.0.6",
|
|
32
32
|
"@std/encoding": "jsr:@std/encoding@1.0.7",
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { getLogger } from "@logtape/logtape";
|
|
2
2
|
import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
|
|
3
|
-
import { accepts } from "../deps/jsr.io/@std/http/1.0.
|
|
3
|
+
import { accepts } from "../deps/jsr.io/@std/http/1.0.20/negotiation.js";
|
|
4
4
|
import metadata from "../deno.js";
|
|
5
5
|
import { verifyRequest } from "../sig/http.js";
|
|
6
6
|
import { detachSignature, verifyJsonLd } from "../sig/ld.js";
|
|
@@ -472,20 +472,6 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
|
|
|
472
472
|
span.setAttribute("activitypub.activity.id", activity.id.href);
|
|
473
473
|
}
|
|
474
474
|
span.setAttribute("activitypub.activity.type", getTypeId(activity).href);
|
|
475
|
-
const routeResult = await routeActivity({
|
|
476
|
-
context: ctx,
|
|
477
|
-
json,
|
|
478
|
-
activity,
|
|
479
|
-
recipient,
|
|
480
|
-
inboxListeners,
|
|
481
|
-
inboxContextFactory,
|
|
482
|
-
inboxErrorHandler,
|
|
483
|
-
kv,
|
|
484
|
-
kvPrefixes,
|
|
485
|
-
queue,
|
|
486
|
-
span,
|
|
487
|
-
tracerProvider,
|
|
488
|
-
});
|
|
489
475
|
if (httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)) {
|
|
490
476
|
logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
|
|
491
477
|
activity: json,
|
|
@@ -503,6 +489,20 @@ async function handleInboxInternal(request, { recipient, context: ctx, inboxCont
|
|
|
503
489
|
headers: { "Content-Type": "text/plain; charset=utf-8" },
|
|
504
490
|
});
|
|
505
491
|
}
|
|
492
|
+
const routeResult = await routeActivity({
|
|
493
|
+
context: ctx,
|
|
494
|
+
json,
|
|
495
|
+
activity,
|
|
496
|
+
recipient,
|
|
497
|
+
inboxListeners,
|
|
498
|
+
inboxContextFactory,
|
|
499
|
+
inboxErrorHandler,
|
|
500
|
+
kv,
|
|
501
|
+
kvPrefixes,
|
|
502
|
+
queue,
|
|
503
|
+
span,
|
|
504
|
+
tracerProvider,
|
|
505
|
+
});
|
|
506
506
|
if (routeResult === "alreadyProcessed") {
|
|
507
507
|
return new Response(`Activity <${activity.id}> has already been processed.`, {
|
|
508
508
|
status: 202,
|