npm - @fedify/vocab-runtime - Versions diffs - 2.0.7-pr.639.14 → 2.0.8 - Mend

@fedify/vocab-runtime 2.0.7-pr.639.14 → 2.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/deno.json +1 -1
package/dist/mod.cjs +30 -13
package/dist/mod.js +30 -13
package/dist/tests/docloader.test.cjs +77 -13
package/dist/tests/docloader.test.js +77 -13
package/dist/tests/{request-BW_eXGbS.js → request-Cqx2eUpt.js} +1 -1
package/dist/tests/{request-B3KZmXmp.cjs → request-D2-F2dMS.cjs} +1 -1
package/dist/tests/request.test.cjs +1 -1
package/dist/tests/request.test.js +1 -1
package/package.json +1 -1
package/src/docloader.test.ts +67 -0
package/src/docloader.ts +43 -11

package/deno.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.0.7-pr.639.14+40546420",
+  "version": "2.0.8",
   "license": "MIT",
   "exports": {
     ".": "./src/mod.ts",

package/dist/mod.cjs CHANGED Viewed

@@ -4263,7 +4263,7 @@ var contexts_default = preloadedContexts;
 //#endregion
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.0.7-pr.639.14+40546420";
+var version = "2.0.8";
 var license = "MIT";
 var exports$1 = {
 	".": "./src/mod.ts",
@@ -4616,6 +4616,7 @@ const logger = (0, __logtape_logtape.getLogger)([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -4734,31 +4735,33 @@ async function getRemoteDocument(url, response, fetch$1) {
 function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = __opentelemetry_api.trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	async function load(url, options) {
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await validatePublicUrl(url);
+			await validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: __opentelemetry_api.SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = createActivityPubRequest(url, { userAgent });
+				const request = createActivityPubRequest(currentUrl, { userAgent });
 				logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -4766,11 +4769,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= DEFAULT_MAX_REDIRECTION) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;

package/dist/mod.js CHANGED Viewed

@@ -4262,7 +4262,7 @@ var contexts_default = preloadedContexts;
 //#endregion
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.0.7-pr.639.14+40546420";
+var version = "2.0.8";
 var license = "MIT";
 var exports = {
 	".": "./src/mod.ts",
@@ -4615,6 +4615,7 @@ const logger = getLogger([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -4733,31 +4734,33 @@ async function getRemoteDocument(url, response, fetch$1) {
 function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	async function load(url, options) {
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await validatePublicUrl(url);
+			await validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = createActivityPubRequest(url, { userAgent });
+				const request = createActivityPubRequest(currentUrl, { userAgent });
 				logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -4765,11 +4768,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= DEFAULT_MAX_REDIRECTION) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;

package/dist/tests/docloader.test.cjs CHANGED Viewed

@@ -1,5 +1,5 @@
 const require_chunk = require('./chunk-DWy1uDak.cjs');
-const require_request = require('./request-B3KZmXmp.cjs');
+const require_request = require('./request-D2-F2dMS.cjs');
 const require_link = require('./link-CdFPEo9O.cjs');
 const require_url = require('./url-C5Vs9nYh.cjs');
 const node_assert = require_chunk.__toESM(require("node:assert"));
@@ -5497,6 +5497,7 @@ const logger = (0, __logtape_logtape.getLogger)([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -5615,31 +5616,33 @@ async function getRemoteDocument(url, response, fetch$1) {
 function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = __opentelemetry_api.trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
-	async function load(url, options) {
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await require_url.validatePublicUrl(url);
+			await require_url.validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof require_url.UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: __opentelemetry_api.SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = require_request.createActivityPubRequest(url, { userAgent });
+				const request = require_request.createActivityPubRequest(currentUrl, { userAgent });
 				require_request.logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -5647,11 +5650,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= DEFAULT_MAX_REDIRECTION) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new require_request.FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new require_request.FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;
@@ -5939,6 +5956,53 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 		(0, node_assert.deepStrictEqual)(await fetchDocumentLoader2("https://example.com/localhost-redirect"), expected);
 		(0, node_assert.deepStrictEqual)(await fetchDocumentLoader2("https://example.com/localhost-link"), expected);
 	});
+	let redirectAttempts = 0;
+	esm_default.get("begin:https://example.com/too-many-redirects/", (cl) => {
+		redirectAttempts++;
+		const index = Number(cl.url.split("/").at(-1));
+		return {
+			status: 302,
+			headers: { Location: `https://example.com/too-many-redirects/${index + 1}` }
+		};
+	});
+	await t.test("too many redirects", async () => {
+		redirectAttempts = 0;
+		await (0, node_assert.rejects)(() => fetchDocumentLoader("https://example.com/too-many-redirects/0"), require_request.FetchError, "Too many redirections");
+		(0, node_assert.deepStrictEqual)(redirectAttempts, 21);
+	});
+	let loopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-a", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-b" }
+		};
+	});
+	esm_default.get("https://example.com/redirect-loop-b", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-a" }
+		};
+	});
+	await t.test("redirect loop", async () => {
+		loopAttempts = 0;
+		await (0, node_assert.rejects)(() => fetchDocumentLoader("https://example.com/redirect-loop-a"), require_request.FetchError, "Redirect loop detected");
+		(0, node_assert.deepStrictEqual)(loopAttempts, 2);
+	});
+	let relativeLoopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-relative", () => {
+		relativeLoopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "/redirect-loop-relative" }
+		};
+	});
+	await t.test("redirect loop with relative location", async () => {
+		relativeLoopAttempts = 0;
+		await (0, node_assert.rejects)(() => fetchDocumentLoader("https://example.com/redirect-loop-relative"), require_request.FetchError, "Redirect loop detected");
+		(0, node_assert.deepStrictEqual)(relativeLoopAttempts, 1);
+	});
 	const maliciousPayload = "<a" + " a=\"b\"".repeat(30) + " ";
 	esm_default.get("https://example.com/redos", {
 		body: maliciousPayload,

package/dist/tests/docloader.test.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { FetchError, createActivityPubRequest, deno_default, logRequest } from "./request-BW_eXGbS.js";
+import { FetchError, createActivityPubRequest, deno_default, logRequest } from "./request-Cqx2eUpt.js";
 import { HttpHeaderLink } from "./link-Ck2yj4dH.js";
 import { UrlError, validatePublicUrl } from "./url-fW_DHbih.js";
 import "node:module";
@@ -5523,6 +5523,7 @@ const logger = getLogger([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -5641,31 +5642,33 @@ async function getRemoteDocument(url, response, fetch$1) {
 function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	async function load(url, options) {
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await validatePublicUrl(url);
+			await validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = createActivityPubRequest(url, { userAgent });
+				const request = createActivityPubRequest(currentUrl, { userAgent });
 				logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -5673,11 +5676,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= DEFAULT_MAX_REDIRECTION) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;
@@ -5965,6 +5982,53 @@ test("getDocumentLoader()", async (t) => {
 		deepStrictEqual(await fetchDocumentLoader2("https://example.com/localhost-redirect"), expected);
 		deepStrictEqual(await fetchDocumentLoader2("https://example.com/localhost-link"), expected);
 	});
+	let redirectAttempts = 0;
+	esm_default.get("begin:https://example.com/too-many-redirects/", (cl) => {
+		redirectAttempts++;
+		const index = Number(cl.url.split("/").at(-1));
+		return {
+			status: 302,
+			headers: { Location: `https://example.com/too-many-redirects/${index + 1}` }
+		};
+	});
+	await t.test("too many redirects", async () => {
+		redirectAttempts = 0;
+		await rejects(() => fetchDocumentLoader("https://example.com/too-many-redirects/0"), FetchError, "Too many redirections");
+		deepStrictEqual(redirectAttempts, 21);
+	});
+	let loopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-a", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-b" }
+		};
+	});
+	esm_default.get("https://example.com/redirect-loop-b", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-a" }
+		};
+	});
+	await t.test("redirect loop", async () => {
+		loopAttempts = 0;
+		await rejects(() => fetchDocumentLoader("https://example.com/redirect-loop-a"), FetchError, "Redirect loop detected");
+		deepStrictEqual(loopAttempts, 2);
+	});
+	let relativeLoopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-relative", () => {
+		relativeLoopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "/redirect-loop-relative" }
+		};
+	});
+	await t.test("redirect loop with relative location", async () => {
+		relativeLoopAttempts = 0;
+		await rejects(() => fetchDocumentLoader("https://example.com/redirect-loop-relative"), FetchError, "Redirect loop detected");
+		deepStrictEqual(relativeLoopAttempts, 1);
+	});
 	const maliciousPayload = "<a" + " a=\"b\"".repeat(30) + " ";
 	esm_default.get("https://example.com/redos", {
 		body: maliciousPayload,

package/dist/tests/{request-BW_eXGbS.js → request-Cqx2eUpt.js} RENAMED Viewed

@@ -2,7 +2,7 @@ import process from "node:process";
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.0.7-pr.639.14+40546420";
+var version = "2.0.8";
 var license = "MIT";
 var exports = {
 	".": "./src/mod.ts",

package/dist/tests/{request-B3KZmXmp.cjs → request-D2-F2dMS.cjs} RENAMED Viewed

@@ -3,7 +3,7 @@ const node_process = require_chunk.__toESM(require("node:process"));
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.0.7-pr.639.14+40546420";
+var version = "2.0.8";
 var license = "MIT";
 var exports$1 = {
 	".": "./src/mod.ts",

package/dist/tests/request.test.cjs CHANGED Viewed

@@ -1,5 +1,5 @@
 const require_chunk = require('./chunk-DWy1uDak.cjs');
-const require_request = require('./request-B3KZmXmp.cjs');
+const require_request = require('./request-D2-F2dMS.cjs');
 const node_assert = require_chunk.__toESM(require("node:assert"));
 const node_test = require_chunk.__toESM(require("node:test"));
 const node_process = require_chunk.__toESM(require("node:process"));

package/dist/tests/request.test.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { deno_default, getUserAgent } from "./request-BW_eXGbS.js";
+import { deno_default, getUserAgent } from "./request-Cqx2eUpt.js";
 import { deepStrictEqual } from "node:assert";
 import { test } from "node:test";
 import process from "node:process";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.0.7-pr.639.14+40546420",
+  "version": "2.0.8",
   "homepage": "https://fedify.dev/",
   "repository": {
     "type": "git",

package/src/docloader.test.ts CHANGED Viewed

@@ -361,6 +361,73 @@ test("getDocumentLoader()", async (t) => {
     );
   });
+  let redirectAttempts = 0;
+  fetchMock.get("begin:https://example.com/too-many-redirects/", (cl) => {
+    redirectAttempts++;
+    const index = Number(cl.url.split("/").at(-1));
+    return {
+      status: 302,
+      headers: {
+        Location: `https://example.com/too-many-redirects/${index + 1}`,
+      },
+    };
+  });
+  await t.test("too many redirects", async () => {
+    redirectAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/too-many-redirects/0"),
+      FetchError,
+      "Too many redirections",
+    );
+    deepStrictEqual(redirectAttempts, 21);
+  });
+  let loopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-a", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-b" },
+    };
+  });
+  fetchMock.get("https://example.com/redirect-loop-b", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-a" },
+    };
+  });
+  await t.test("redirect loop", async () => {
+    loopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-a"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(loopAttempts, 2);
+  });
+  let relativeLoopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-relative", () => {
+    relativeLoopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "/redirect-loop-relative" },
+    };
+  });
+  await t.test("redirect loop with relative location", async () => {
+    relativeLoopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-relative"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(relativeLoopAttempts, 1);
+  });
   // Regression test for ReDoS vulnerability (CVE-2025-68475)
   // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
   // With the vulnerable regex, this causes catastrophic backtracking

package/src/docloader.ts CHANGED Viewed

@@ -12,6 +12,7 @@ import {
 import { UrlError, validatePublicUrl } from "./url.ts";
 const logger = getLogger(["fedify", "runtime", "docloader"]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
  * A remote JSON-LD document and its context fetched by
@@ -292,38 +293,45 @@ export function getDocumentLoader(
   async function load(
     url: string,
     options?: DocumentLoaderOptions,
+    redirected = 0,
+    visited = new Set<string>(),
   ): Promise<RemoteDocument> {
     options?.signal?.throwIfAborted();
-    if (!skipPreloadedContexts && url in preloadedContexts) {
-      logger.debug("Using preloaded context: {url}.", { url });
+    const currentUrl = new URL(url).href;
+    if (!skipPreloadedContexts && currentUrl in preloadedContexts) {
+      logger.debug("Using preloaded context: {url}.", { url: currentUrl });
       return {
         contextUrl: null,
-        document: preloadedContexts[url],
-        documentUrl: url,
+        document: preloadedContexts[currentUrl],
+        documentUrl: currentUrl,
       };
     }
     if (!allowPrivateAddress) {
       try {
-        await validatePublicUrl(url);
+        await validatePublicUrl(currentUrl);
       } catch (error) {
         if (error instanceof UrlError) {
-          logger.error("Disallowed private URL: {url}", { url, error });
+          logger.error("Disallowed private URL: {url}", {
+            url: currentUrl,
+            error,
+          });
         }
         throw error;
       }
     }
+    visited.add(currentUrl);
     return await tracer.startActiveSpan(
       "activitypub.fetch_document",
       {
         kind: SpanKind.CLIENT,
         attributes: {
-          "url.full": url,
+          "url.full": currentUrl,
         },
       },
       async (span) => {
         try {
-          const request = createActivityPubRequest(url, { userAgent });
+          const request = createActivityPubRequest(currentUrl, { userAgent });
           logRequest(logger, request);
           const response = await fetch(request, {
             // Since Bun has a bug that ignores the `Request.redirect` option,
@@ -339,12 +347,36 @@ export function getDocumentLoader(
             response.status >= 300 && response.status < 400 &&
             response.headers.has("Location")
           ) {
-            const redirectUrl = response.headers.get("Location")!;
+            if (redirected >= DEFAULT_MAX_REDIRECTION) {
+              logger.error(
+                "Too many redirections ({redirections}) while fetching document.",
+                { redirections: redirected + 1, url: currentUrl },
+              );
+              throw new FetchError(
+                currentUrl,
+                `Too many redirections (${redirected + 1})`,
+              );
+            }
+            const redirectUrl = new URL(
+              response.headers.get("Location")!,
+              response.url === "" ? currentUrl : response.url,
+            ).href;
             span.setAttribute("http.redirect.url", redirectUrl);
-            return await load(redirectUrl, options);
+            if (visited.has(redirectUrl)) {
+              logger.error(
+                "Detected a redirect loop while fetching document: {url} -> " +
+                  "{redirectUrl}",
+                { url: currentUrl, redirectUrl },
+              );
+              throw new FetchError(
+                currentUrl,
+                `Redirect loop detected: ${redirectUrl}`,
+              );
+            }
+            return await load(redirectUrl, options, redirected + 1, visited);
           }
-          const result = await getRemoteDocument(url, response, load);
+          const result = await getRemoteDocument(currentUrl, response, load);
           span.setAttribute("docloader.document_url", result.documentUrl);
           if (result.contextUrl != null) {
             span.setAttribute("docloader.context_url", result.contextUrl);