@fedify/vocab-runtime 2.0.0-dev.1875 → 2.0.0-dev.196

package/src/docloader.ts

@@ -1,4 +1,6 @@
 import { getLogger } from "@logtape/logtape";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+import metadata from "../deno.json" with { type: "json" };
 import preloadedContexts from "./contexts.ts";
 import { HttpHeaderLink } from "./link.ts";
 import {
@@ -189,37 +191,55 @@ export async function getRemoteDocument(
       contentType === "application/xhtml+xml" ||
       contentType?.startsWith("application/xhtml+xml;"))
   ) {
-    const p =
-      /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
-    const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig;
+    // Security: Limit HTML response size to mitigate ReDoS attacks
+    const MAX_HTML_SIZE = 1024 * 1024; // 1MB
     const html = await response.text();
-    let m: RegExpExecArray | null;
-    const rawAttribs: string[] = [];
-    while ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);
-    for (const rawAttrs of rawAttribs) {
-      let m2: RegExpExecArray | null;
-      const attribs: Record<string, string> = {};
-      while ((m2 = p2.exec(rawAttrs)) !== null) {
-        const key = m2[1].toLowerCase();
-        const value = m2[3] ?? m2[4] ?? m2[5] ?? "";
-        attribs[key] = value;
-      }
-      if (
-        attribs.rel === "alternate" && "type" in attribs && (
-          attribs.type === "application/activity+json" ||
-          attribs.type === "application/ld+json" ||
-          attribs.type.startsWith("application/ld+json;")
-        ) && "href" in attribs &&
-        new URL(attribs.href, docUrl).href !== docUrl.href
-      ) {
-        logger.debug(
-          "Found alternate document: {alternateUrl} from {url}",
-          { alternateUrl: attribs.href, url: documentUrl },
-        );
-        return await fetch(new URL(attribs.href, docUrl).href);
+    if (html.length > MAX_HTML_SIZE) {
+      logger.warn(
+        "HTML response too large, skipping alternate link discovery: {url}",
+        { url: documentUrl, size: html.length },
+      );
+      document = JSON.parse(html);
+    } else {
+      // Safe regex patterns without nested quantifiers to prevent ReDoS
+      // (CVE-2025-68475)
+      // Step 1: Extract <a ...> or <link ...> tags
+      const tagPattern = /<(a|link)\s+([^>]*?)\s*\/?>/gi;
+      // Step 2: Parse attributes
+      const attrPattern =
+        /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+
+      let tagMatch: RegExpExecArray | null;
+      while ((tagMatch = tagPattern.exec(html)) !== null) {
+        const tagContent = tagMatch[2];
+        let attrMatch: RegExpExecArray | null;
+        const attribs: Record<string, string> = {};
+
+        // Reset regex state for attribute parsing
+        attrPattern.lastIndex = 0;
+        while ((attrMatch = attrPattern.exec(tagContent)) !== null) {
+          const key = attrMatch[1].toLowerCase();
+          const value = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
+          attribs[key] = value;
+        }
+
+        if (
+          attribs.rel === "alternate" && "type" in attribs && (
+            attribs.type === "application/activity+json" ||
+            attribs.type === "application/ld+json" ||
+            attribs.type.startsWith("application/ld+json;")
+          ) && "href" in attribs &&
+          new URL(attribs.href, docUrl).href !== docUrl.href
+        ) {
+          logger.debug(
+            "Found alternate document: {alternateUrl} from {url}",
+            { alternateUrl: attribs.href, url: documentUrl },
+          );
+          return await fetch(new URL(attribs.href, docUrl).href);
+        }
       }
+      document = JSON.parse(html);
     }
-    document = JSON.parse(html);
   } else {
     document = await response.json();
   }
@@ -266,6 +286,9 @@ export function getDocumentLoader(
   { allowPrivateAddress, skipPreloadedContexts, userAgent }:
     GetDocumentLoaderOptions = {},
 ): DocumentLoader {
+  const tracerProvider = trace.getTracerProvider();
+  const tracer = tracerProvider.getTracer(metadata.name, metadata.version);
+
   async function load(
     url: string,
     options?: DocumentLoaderOptions,
@@ -289,23 +312,56 @@ export function getDocumentLoader(
         throw error;
       }
     }
-    const request = createActivityPubRequest(url, { userAgent });
-    logRequest(logger, request);
-    const response = await fetch(request, {
-      // Since Bun has a bug that ignores the `Request.redirect` option,
-      // to work around it we specify `redirect: "manual"` here too:
-      // https://github.com/oven-sh/bun/issues/10754
-      redirect: "manual",
-      signal: options?.signal,
-    });
-    // Follow redirects manually to get the final URL:
-    if (
-      response.status >= 300 && response.status < 400 &&
-      response.headers.has("Location")
-    ) {
-      return load(response.headers.get("Location")!, options);
-    }
-    return getRemoteDocument(url, response, load);
+
+    return await tracer.startActiveSpan(
+      "activitypub.fetch_document",
+      {
+        kind: SpanKind.CLIENT,
+        attributes: {
+          "url.full": url,
+        },
+      },
+      async (span) => {
+        try {
+          const request = createActivityPubRequest(url, { userAgent });
+          logRequest(logger, request);
+          const response = await fetch(request, {
+            // Since Bun has a bug that ignores the `Request.redirect` option,
+            // to work around it we specify `redirect: "manual"` here too:
+            // https://github.com/oven-sh/bun/issues/10754
+            redirect: "manual",
+            signal: options?.signal,
+          });
+          span.setAttribute("http.response.status_code", response.status);
+
+          // Follow redirects manually to get the final URL:
+          if (
+            response.status >= 300 && response.status < 400 &&
+            response.headers.has("Location")
+          ) {
+            const redirectUrl = response.headers.get("Location")!;
+            span.setAttribute("http.redirect.url", redirectUrl);
+            return await load(redirectUrl, options);
+          }
+
+          const result = await getRemoteDocument(url, response, load);
+          span.setAttribute("docloader.document_url", result.documentUrl);
+          if (result.contextUrl != null) {
+            span.setAttribute("docloader.context_url", result.contextUrl);
+          }
+          return result;
+        } catch (error) {
+          span.recordException(error as Error);
+          span.setStatus({
+            code: SpanStatusCode.ERROR,
+            message: String(error),
+          });
+          throw error;
+        } finally {
+          span.end();
+        }
+      },
+    );
   }
   return load;
 }

package/tsdown.config.ts

@@ -1,9 +1,20 @@
+import { glob } from "node:fs/promises";
+import { sep } from "node:path";
 import { defineConfig } from "tsdown";
 
-export default defineConfig({
-  entry: ["src/mod.ts"],
-  dts: true,
-  format: ["esm", "cjs"],
-  platform: "node",
-  external: [/^node:/],
-});
+export default [
+  defineConfig({
+    entry: ["src/mod.ts"],
+    dts: true,
+    format: ["esm", "cjs"],
+    platform: "neutral",
+    external: [/^node:/],
+  }),
+  defineConfig({
+    entry: (await Array.fromAsync(glob(`src/**/*.test.ts`)))
+      .map((f) => f.replace(sep, "/")),
+    format: ["esm", "cjs"],
+    platform: "node",
+    external: [/^node:/],
+  }),
+];