@fedify/fedify 1.9.0-dev.1668 → 1.9.0-dev.1704

package/dist/vocab/vocab.test.js

@@ -3,18 +3,18 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { Activity, Announce, Collection, Create, CryptographicKey, Follow, Hashtag, LanguageString, Link, Note, Object as Object$1, OrderedCollectionPage, Person, Place, Question, Source, decode, vocab_exports } from "../type-BRNRL3aj.js";
+import { Activity, Announce, Collection, Create, CryptographicKey, Follow, Hashtag, LanguageString, Link, Note, Object as Object$1, OrderedCollectionPage, Person, Place, Question, Source, decode, vocab_exports } from "../type-C5udJemk.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
 import { assertInstanceOf } from "../assert_instance_of-DHz7EHNU.js";
-import "../lookup-CZBG-vCx.js";
-import { mockDocumentLoader, test } from "../testing-CAAJTPCt.js";
+import "../lookup-RINL4MOa.js";
+import { mockDocumentLoader, test } from "../testing-CNtyBr2m.js";
 import "../std__assert-X-_kMxKM.js";
 import { assertFalse, assertRejects } from "../assert_rejects-DiIiJbZn.js";
 import "../assert_is_error-BPGph1Jx.js";
 import { assertNotEquals } from "../assert_not_equals-f3m3epl3.js";
 import { assertThrows } from "../assert_throws-BOO88avQ.js";
-import { ed25519PublicKey, rsaPublicKey1 } from "../keys-5cHW76LQ.js";
+import { ed25519PublicKey, rsaPublicKey1 } from "../keys-CWdCy_3n.js";
 import { pascalCase } from "es-toolkit";
 import { parseLanguageTag } from "@phensley/language-tag";
 import { Validator } from "@cfworker/json-schema";
@@ -2203,9 +2203,9 @@ const scalarTypes = {
 		dataCheck(v) {
 			return `typeof ${v} === "object" && "@id" in ${v}
         && typeof ${v}["@id"] === "string"
-        && ${v}["@id"] !== "" && ${v}["@id"] !== "/"`;
+        && ${v}["@id"] !== ""`;
 		},
-		decoder(v) {
+		decoder(v, baseUrlVar) {
 			return `${v}["@id"].startsWith("at://")
         ? new URL("at://" +
           encodeURIComponent(
@@ -2219,7 +2219,9 @@ const scalarTypes = {
               : ""
           )
         )
-        : new URL(${v}["@id"])`;
+        : URL.canParse(${v}["@id"]) && ${baseUrlVar}
+          ? new URL(${v}["@id"])
+          : new URL(${v}["@id"], ${baseUrlVar})`;
 		}
 	},
 	"http://www.w3.org/1999/02/22-rdf-syntax-ns#langString": {
@@ -2833,6 +2835,7 @@ test({
 test("Person.fromJsonLd()", async () => {
 	const person = await Person.fromJsonLd({
 		"@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1"],
+		"id": "https://todon.eu/users/hongminhee",
 		"publicKey": {
 			"id": "https://todon.eu/users/hongminhee#main-key",
 			"owner": "https://todon.eu/users/hongminhee",
@@ -2840,7 +2843,8 @@ test("Person.fromJsonLd()", async () => {
 		}
 	}, {
 		documentLoader: mockDocumentLoader,
-		contextLoader: mockDocumentLoader
+		contextLoader: mockDocumentLoader,
+		baseUrl: new URL("https://todon.eu/")
 	});
 	assertEquals(person.publicKeyId, new URL("https://todon.eu/users/hongminhee#main-key"));
 	const publicKey = await person.getPublicKey({ documentLoader: mockDocumentLoader });
@@ -3059,6 +3063,391 @@ test("Link.fromJsonLd()", async () => {
 	});
 	assertEquals(link3.href, new URL("at://did%3Aplc%3Aia76kvnndjutgedggx2ibrem"));
 });
+test("Person.fromJsonLd() with relative URLs", async () => {
+	const json = {
+		"@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1"],
+		id: "https://example.com/ap/actors/019382d3-63d7-7cf7-86e8-91e2551c306c",
+		type: "Person",
+		name: "Test User",
+		icon: {
+			type: "Image",
+			url: "/avatars/test-avatar.jpg"
+		}
+	};
+	const person = await Person.fromJsonLd(json, {
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	const icon = await person.getIcon();
+	assertEquals(icon?.url, new URL("https://example.com/avatars/test-avatar.jpg"));
+	const json2 = {
+		"@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1"],
+		id: "https://example.com/ap/actors/019382d3-63d7-7cf7-86e8-91e2551c306c",
+		type: "Person",
+		name: "Test User",
+		icon: {
+			id: "https://media.example.com/avatars/test-avatar.jpg",
+			type: "Image",
+			url: "/avatars/test-avatar.jpg"
+		}
+	};
+	const person2 = await Person.fromJsonLd(json2, {
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader
+	});
+	const icon2 = await person2.getIcon();
+	assertEquals(icon2?.url, new URL("https://media.example.com/avatars/test-avatar.jpg"));
+});
+test("Person.fromJsonLd() with relative URLs and baseUrl", async () => {
+	const json = {
+		"@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1"],
+		"id": "https://example.com/ap/actors/019382d3-63d7-7cf7-86e8-91e2551c306c",
+		"type": "Person",
+		"name": "Test User",
+		"icon": {
+			"type": "Image",
+			"url": "/avatars/test-avatar.jpg"
+		}
+	};
+	const personWithBase = await Person.fromJsonLd(json, {
+		documentLoader: mockDocumentLoader,
+		contextLoader: mockDocumentLoader,
+		baseUrl: new URL("https://example.com")
+	});
+	const icon = await personWithBase.getIcon();
+	assertEquals(icon?.url, new URL("https://example.com/avatars/test-avatar.jpg"));
+});
+test("FEP-fe34: Trust tracking in object construction", async () => {
+	const note = new Note({
+		id: new URL("https://example.com/note"),
+		content: "Hello World"
+	});
+	const create = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: note
+	});
+	assertEquals(create.objectId, new URL("https://example.com/note"));
+	const result = await create.getObject();
+	assertEquals(result, note);
+	assertEquals(result?.content, "Hello World");
+});
+test("FEP-fe34: Trust tracking in object cloning", () => {
+	const originalNote = new Note({
+		id: new URL("https://example.com/note"),
+		content: "Original content"
+	});
+	const create = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: originalNote
+	});
+	const newNote = new Note({
+		id: new URL("https://example.com/new-note"),
+		content: "New content"
+	});
+	const clonedCreate = create.clone({ object: newNote });
+	assertEquals(clonedCreate.objectId, new URL("https://example.com/new-note"));
+});
+test("FEP-fe34: crossOrigin ignore behavior (default)", async () => {
+	const crossOriginDocumentLoader = async (url) => {
+		if (url === "https://different-origin.com/note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://malicious.com/fake-note",
+				"content": "This is a spoofed note"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const create = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: new URL("https://different-origin.com/note")
+	});
+	const result = await create.getObject({ documentLoader: crossOriginDocumentLoader });
+	assertEquals(result, null);
+});
+test("FEP-fe34: crossOrigin throw behavior", async () => {
+	const crossOriginDocumentLoader = async (url) => {
+		if (url === "https://different-origin.com/note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://malicious.com/fake-note",
+				"content": "This is a spoofed note"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const create = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: new URL("https://different-origin.com/note")
+	});
+	await assertRejects(() => create.getObject({
+		documentLoader: crossOriginDocumentLoader,
+		crossOrigin: "throw"
+	}), Error, "The object's @id (https://malicious.com/fake-note) has a different origin than the document URL (https://different-origin.com/note)");
+});
+test("FEP-fe34: crossOrigin trust behavior", async () => {
+	const crossOriginDocumentLoader = async (url) => {
+		if (url === "https://different-origin.com/note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://malicious.com/fake-note",
+				"content": "This is a spoofed note"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const create = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: new URL("https://different-origin.com/note")
+	});
+	const result = await create.getObject({
+		documentLoader: crossOriginDocumentLoader,
+		crossOrigin: "trust"
+	});
+	assertInstanceOf(result, Note);
+	assertEquals(result?.id, new URL("https://malicious.com/fake-note"));
+	assertEquals(result?.content, "This is a spoofed note");
+});
+test("FEP-fe34: Same origin objects are trusted", async () => {
+	const sameOriginDocumentLoader = async (url) => {
+		if (url === "https://example.com/note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://example.com/note",
+				"content": "This is a legitimate note"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const create = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: new URL("https://example.com/note")
+	});
+	const result = await create.getObject({ documentLoader: sameOriginDocumentLoader });
+	assertInstanceOf(result, Note);
+	assertEquals(result?.id, new URL("https://example.com/note"));
+	assertEquals(result?.content, "This is a legitimate note");
+});
+test("FEP-fe34: Embedded cross-origin objects from JSON-LD are ignored by default", async () => {
+	const createDocumentLoader = async (url) => {
+		if (url === "https://example.com/create") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Create",
+				"@id": "https://example.com/create",
+				"actor": "https://example.com/actor",
+				"object": {
+					"@type": "Note",
+					"@id": "https://different-origin.com/note",
+					"content": "Embedded note from JSON-LD"
+				}
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const create = await Create.fromJsonLd(await createDocumentLoader("https://example.com/create").then((r) => r.document), { documentLoader: createDocumentLoader });
+	const objectDocumentLoader = async (url) => {
+		if (url === "https://different-origin.com/note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://different-origin.com/note",
+				"content": "Legitimate note from origin"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const result = await create.getObject({ documentLoader: objectDocumentLoader });
+	assertInstanceOf(result, Note);
+	assertEquals(result?.content, "Legitimate note from origin");
+});
+test("FEP-fe34: Constructor vs JSON-LD parsing trust difference", async () => {
+	const constructorCreate = new Create({
+		id: new URL("https://example.com/create"),
+		actor: new URL("https://example.com/actor"),
+		object: new Note({
+			id: new URL("https://different-origin.com/note"),
+			content: "Constructor embedded note"
+		})
+	});
+	const constructorResult = await constructorCreate.getObject();
+	assertEquals(constructorResult?.content, "Constructor embedded note");
+	const jsonLdCreate = await Create.fromJsonLd({
+		"@context": "https://www.w3.org/ns/activitystreams",
+		"@type": "Create",
+		"@id": "https://example.com/create",
+		"actor": "https://example.com/actor",
+		"object": {
+			"@type": "Note",
+			"@id": "https://different-origin.com/note",
+			"content": "JSON-LD embedded note"
+		}
+	});
+	const documentLoader = async (url) => {
+		if (url === "https://different-origin.com/note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://different-origin.com/note",
+				"content": "Fetched from origin"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const jsonLdResult = await jsonLdCreate.getObject({ documentLoader });
+	assertEquals(jsonLdResult?.content, "Fetched from origin");
+});
+test("FEP-fe34: Array properties respect cross-origin policy", async () => {
+	const crossOriginDocumentLoader = async (url) => {
+		if (url === "https://different-origin.com/note1") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://malicious.com/fake-note1",
+				"content": "Fake note 1"
+			}
+		};
+		else if (url === "https://example.com/note2") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://example.com/note2",
+				"content": "Legitimate note 2"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const collection = new Collection({
+		id: new URL("https://example.com/collection"),
+		items: [new URL("https://different-origin.com/note1"), new URL("https://example.com/note2")]
+	});
+	const items = [];
+	for await (const item of collection.getItems({ documentLoader: crossOriginDocumentLoader })) items.push(item);
+	assertEquals(items.length, 1);
+	assertInstanceOf(items[0], Note);
+	assertEquals(items[0].content, "Legitimate note 2");
+});
+test("FEP-fe34: Array properties with crossOrigin trust option", async () => {
+	const crossOriginDocumentLoader = async (url) => {
+		if (url === "https://different-origin.com/note1") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://malicious.com/fake-note1",
+				"content": "Fake note 1"
+			}
+		};
+		else if (url === "https://example.com/note2") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://example.com/note2",
+				"content": "Legitimate note 2"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const collection = new Collection({
+		id: new URL("https://example.com/collection"),
+		items: [new URL("https://different-origin.com/note1"), new URL("https://example.com/note2")]
+	});
+	const items = [];
+	for await (const item of collection.getItems({
+		documentLoader: crossOriginDocumentLoader,
+		crossOrigin: "trust"
+	})) items.push(item);
+	assertEquals(items.length, 2);
+	assertInstanceOf(items[0], Note);
+	assertInstanceOf(items[1], Note);
+	assertEquals(items[0].content, "Fake note 1");
+	assertEquals(items[1].content, "Legitimate note 2");
+});
+test("FEP-fe34: Embedded objects in arrays from JSON-LD respect cross-origin policy", async () => {
+	const collectionDocumentLoader = async (url) => {
+		if (url === "https://example.com/collection") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Collection",
+				"@id": "https://example.com/collection",
+				"items": [{
+					"@type": "Note",
+					"@id": "https://example.com/trusted-note",
+					"content": "Trusted embedded note from JSON-LD"
+				}, {
+					"@type": "Note",
+					"@id": "https://different-origin.com/untrusted-note",
+					"content": "Untrusted embedded note from JSON-LD"
+				}]
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const collection = await Collection.fromJsonLd(await collectionDocumentLoader("https://example.com/collection").then((r) => r.document), { documentLoader: collectionDocumentLoader });
+	const itemDocumentLoader = async (url) => {
+		if (url === "https://example.com/trusted-note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://example.com/trusted-note",
+				"content": "Trusted note from origin"
+			}
+		};
+		else if (url === "https://different-origin.com/untrusted-note") return {
+			documentUrl: url,
+			contextUrl: null,
+			document: {
+				"@context": "https://www.w3.org/ns/activitystreams",
+				"@type": "Note",
+				"@id": "https://different-origin.com/untrusted-note",
+				"content": "Legitimate note from actual origin"
+			}
+		};
+		throw new Error("Document not found");
+	};
+	const items = [];
+	for await (const item of collection.getItems({ documentLoader: itemDocumentLoader })) items.push(item);
+	assertEquals(items.length, 2);
+	assertInstanceOf(items[0], Note);
+	assertEquals(items[0].content, "Trusted embedded note from JSON-LD");
+	assertInstanceOf(items[1], Note);
+	assertEquals(items[1].content, "Legitimate note from actual origin");
+});
 function getAllProperties(type, types$1) {
 	const props = type.properties;
 	if (type.extends != null) props.push(...getAllProperties(types$1[type.extends], types$1));

package/dist/{vocab-BDMmyzZA.cjs → vocab-BoyCE2Rn.cjs}

@@ -3,9 +3,9 @@
           const { URLPattern } = require("urlpattern-polyfill");
         
 const require_chunk = require('./chunk-DqRYRqnO.cjs');
-const require_docloader = require('./docloader-CSB8cAnw.cjs');
-const require_actor = require('./actor-fGD4yb1K.cjs');
-const require_lookup = require('./lookup-BrrOs_g1.cjs');
+const require_docloader = require('./docloader-NcFUThCx.cjs');
+const require_actor = require('./actor-DU96UQUE.cjs');
+const require_lookup = require('./lookup-CILOZed9.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
 const es_toolkit = require_chunk.__toESM(require("es-toolkit"));
@@ -153,14 +153,13 @@ async function lookupObject(identifier, options = {}) {
 async function lookupObjectInternal(identifier, options = {}) {
 	const documentLoader = options.documentLoader ?? require_docloader.getDocumentLoader({ userAgent: options.userAgent });
 	if (typeof identifier === "string") identifier = toAcctUrl(identifier) ?? new URL(identifier);
-	let document = null;
+	let remoteDoc = null;
 	if (identifier.protocol === "http:" || identifier.protocol === "https:") try {
-		const remoteDoc = await documentLoader(identifier.href, { signal: options.signal });
-		document = remoteDoc.document;
+		remoteDoc = await documentLoader(identifier.href, { signal: options.signal });
 	} catch (error) {
 		logger.debug("Failed to fetch remote document:\n{error}", { error });
 	}
-	if (document == null) {
+	if (remoteDoc == null) {
 		const jrd = await require_lookup.lookupWebFinger(identifier, {
 			userAgent: options.userAgent,
 			tracerProvider: options.tracerProvider,
@@ -171,8 +170,7 @@ async function lookupObjectInternal(identifier, options = {}) {
 		for (const l of jrd.links) {
 			if (l.type !== "application/activity+json" && !l.type?.match(/application\/ld\+json;\s*profile="https:\/\/www.w3.org\/ns\/activitystreams"/) || l.rel !== "self" || l.href == null) continue;
 			try {
-				const remoteDoc = await documentLoader(l.href, { signal: options.signal });
-				document = remoteDoc.document;
+				remoteDoc = await documentLoader(l.href, { signal: options.signal });
 				break;
 			} catch (error) {
 				logger.debug("Failed to fetch remote document:\n{error}", { error });
@@ -180,23 +178,34 @@ async function lookupObjectInternal(identifier, options = {}) {
 			}
 		}
 	}
-	if (document == null) return null;
+	if (remoteDoc == null) return null;
+	let object;
 	try {
-		return await require_actor.Object.fromJsonLd(document, {
+		object = await require_actor.Object.fromJsonLd(remoteDoc.document, {
 			documentLoader,
 			contextLoader: options.contextLoader,
-			tracerProvider: options.tracerProvider
+			tracerProvider: options.tracerProvider,
+			baseUrl: new URL(remoteDoc.documentUrl)
 		});
 	} catch (error) {
 		if (error instanceof TypeError) {
 			logger.debug("Failed to parse JSON-LD document: {error}\n{document}", {
-				error,
-				document
+				...remoteDoc,
+				error
 			});
 			return null;
 		}
 		throw error;
 	}
+	if (options.crossOrigin !== "trust" && object.id != null && object.id.origin !== new URL(remoteDoc.documentUrl).origin) {
+		if (options.crossOrigin === "throw") throw new Error(`The object's @id (${object.id.href}) has a different origin than the document URL (${remoteDoc.documentUrl}); refusing to return the object.  If you want to bypass this check and are aware of the security implications, set the crossOrigin option to "trust".`);
+		logger.warn("The object's @id ({objectId}) has a different origin than the document URL ({documentUrl}); refusing to return the object.  If you want to bypass this check and are aware of the security implications, set the crossOrigin option to \"trust\".", {
+			...remoteDoc,
+			objectId: object.id.href
+		});
+		return null;
+	}
+	return object;
 }
 /**
 * Traverses a collection, yielding each item in the collection.