@fedify/vocab-runtime 2.0.7 → 2.0.9

package/dist/tests/{url-C5Vs9nYh.cjs → url-Cr2K-wzd.cjs}

@@ -1,7 +1,6 @@
-const require_chunk = require('./chunk-DWy1uDak.cjs');
-const node_dns_promises = require_chunk.__toESM(require("node:dns/promises"));
-const node_net = require_chunk.__toESM(require("node:net"));
-
+require("./chunk-Do9eywBl.cjs");
+let node_dns_promises = require("node:dns/promises");
+let node_net = require("node:net");
 //#region src/url.ts
 var UrlError = class extends Error {
 	constructor(message) {
@@ -19,8 +18,7 @@ async function validatePublicUrl(url) {
 	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.substring(1, hostname.length - 2);
 	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
 	if ("Deno" in globalThis && !(0, node_net.isIP)(hostname)) {
-		const netPermission = await Deno.permissions.query({ name: "net" });
-		if (netPermission.state !== "granted") return;
+		if ((await Deno.permissions.query({ name: "net" })).state !== "granted") return;
 	}
 	if ("Bun" in globalThis) {
 		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
@@ -56,38 +54,36 @@ function expandIPv6Address(address) {
 	if (address.startsWith("::")) address = "0000" + address;
 	if (address.endsWith("::")) address = address + "0000";
 	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
-	const parts = address.split(":");
-	return parts.map((part) => part.padStart(4, "0")).join(":");
+	return address.split(":").map((part) => part.padStart(4, "0")).join(":");
 }
-
 //#endregion
-Object.defineProperty(exports, 'UrlError', {
-  enumerable: true,
-  get: function () {
-    return UrlError;
-  }
+Object.defineProperty(exports, "UrlError", {
+	enumerable: true,
+	get: function() {
+		return UrlError;
+	}
+});
+Object.defineProperty(exports, "expandIPv6Address", {
+	enumerable: true,
+	get: function() {
+		return expandIPv6Address;
+	}
 });
-Object.defineProperty(exports, 'expandIPv6Address', {
-  enumerable: true,
-  get: function () {
-    return expandIPv6Address;
-  }
+Object.defineProperty(exports, "isValidPublicIPv4Address", {
+	enumerable: true,
+	get: function() {
+		return isValidPublicIPv4Address;
+	}
 });
-Object.defineProperty(exports, 'isValidPublicIPv4Address', {
-  enumerable: true,
-  get: function () {
-    return isValidPublicIPv4Address;
-  }
+Object.defineProperty(exports, "isValidPublicIPv6Address", {
+	enumerable: true,
+	get: function() {
+		return isValidPublicIPv6Address;
+	}
 });
-Object.defineProperty(exports, 'isValidPublicIPv6Address', {
-  enumerable: true,
-  get: function () {
-    return isValidPublicIPv6Address;
-  }
+Object.defineProperty(exports, "validatePublicUrl", {
+	enumerable: true,
+	get: function() {
+		return validatePublicUrl;
+	}
 });
-Object.defineProperty(exports, 'validatePublicUrl', {
-  enumerable: true,
-  get: function () {
-    return validatePublicUrl;
-  }
-});

package/dist/tests/{url-fW_DHbih.js → url-Djghaq0m.mjs}

@@ -1,6 +1,5 @@
 import { lookup } from "node:dns/promises";
 import { isIP } from "node:net";
-
 //#region src/url.ts
 var UrlError = class extends Error {
 	constructor(message) {
@@ -18,8 +17,7 @@ async function validatePublicUrl(url) {
 	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.substring(1, hostname.length - 2);
 	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
 	if ("Deno" in globalThis && !isIP(hostname)) {
-		const netPermission = await Deno.permissions.query({ name: "net" });
-		if (netPermission.state !== "granted") return;
+		if ((await Deno.permissions.query({ name: "net" })).state !== "granted") return;
 	}
 	if ("Bun" in globalThis) {
 		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
@@ -55,9 +53,7 @@ function expandIPv6Address(address) {
 	if (address.startsWith("::")) address = "0000" + address;
 	if (address.endsWith("::")) address = address + "0000";
 	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
-	const parts = address.split(":");
-	return parts.map((part) => part.padStart(4, "0")).join(":");
+	return address.split(":").map((part) => part.padStart(4, "0")).join(":");
 }
-
 //#endregion
-export { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address, validatePublicUrl };
+export { validatePublicUrl as a, isValidPublicIPv6Address as i, expandIPv6Address as n, isValidPublicIPv4Address as r, UrlError as t };

package/dist/tests/url.test.cjs

@@ -1,8 +1,7 @@
-const require_chunk = require('./chunk-DWy1uDak.cjs');
-const require_url = require('./url-C5Vs9nYh.cjs');
-const node_assert = require_chunk.__toESM(require("node:assert"));
-const node_test = require_chunk.__toESM(require("node:test"));
-
+require("./chunk-Do9eywBl.cjs");
+const require_url = require("./url-Cr2K-wzd.cjs");
+let node_assert = require("node:assert");
+let node_test = require("node:test");
 //#region src/url.test.ts
 (0, node_test.test)("validatePublicUrl()", async () => {
 	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("ftp://localhost"), require_url.UrlError);
@@ -33,5 +32,4 @@ const node_test = require_chunk.__toESM(require("node:test"));
 	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("2001:db8::"), "2001:0db8:0000:0000:0000:0000:0000:0000");
 	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("2001:db8::1"), "2001:0db8:0000:0000:0000:0000:0000:0001");
 });
-
-//#endregion
+//#endregion

package/dist/tests/{url.test.js → url.test.mjs}

@@ -1,7 +1,6 @@
-import { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address, validatePublicUrl } from "./url-fW_DHbih.js";
+import { a as validatePublicUrl, i as isValidPublicIPv6Address, n as expandIPv6Address, r as isValidPublicIPv4Address, t as UrlError } from "./url-Djghaq0m.mjs";
 import { deepStrictEqual, ok, rejects } from "node:assert";
 import { test } from "node:test";
-
 //#region src/url.test.ts
 test("validatePublicUrl()", async () => {
 	await rejects(() => validatePublicUrl("ftp://localhost"), UrlError);
@@ -32,5 +31,5 @@ test("expandIPv6Address()", () => {
 	deepStrictEqual(expandIPv6Address("2001:db8::"), "2001:0db8:0000:0000:0000:0000:0000:0000");
 	deepStrictEqual(expandIPv6Address("2001:db8::1"), "2001:0db8:0000:0000:0000:0000:0000:0001");
 });
-
-//#endregion
+//#endregion
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.0.7",
+  "version": "2.0.9",
   "homepage": "https://fedify.dev/",
   "repository": {
     "type": "git",
@@ -61,8 +61,8 @@
   "devDependencies": {
     "@types/node": "^24.2.1",
     "fetch-mock": "^12.5.4",
-    "tsdown": "^0.12.9",
-    "typescript": "^5.9.3"
+    "tsdown": "^0.21.6",
+    "typescript": "^5.9.2"
   },
   "dependencies": {
     "@logtape/logtape": "^2.0.0",

package/src/docloader.test.ts

@@ -361,6 +361,73 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  let redirectAttempts = 0;
+  fetchMock.get("begin:https://example.com/too-many-redirects/", (cl) => {
+    redirectAttempts++;
+    const index = Number(cl.url.split("/").at(-1));
+    return {
+      status: 302,
+      headers: {
+        Location: `https://example.com/too-many-redirects/${index + 1}`,
+      },
+    };
+  });
+
+  await t.test("too many redirects", async () => {
+    redirectAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/too-many-redirects/0"),
+      FetchError,
+      "Too many redirections",
+    );
+    deepStrictEqual(redirectAttempts, 21);
+  });
+
+  let loopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-a", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-b" },
+    };
+  });
+  fetchMock.get("https://example.com/redirect-loop-b", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-a" },
+    };
+  });
+
+  await t.test("redirect loop", async () => {
+    loopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-a"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(loopAttempts, 2);
+  });
+
+  let relativeLoopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-relative", () => {
+    relativeLoopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "/redirect-loop-relative" },
+    };
+  });
+
+  await t.test("redirect loop with relative location", async () => {
+    relativeLoopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-relative"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(relativeLoopAttempts, 1);
+  });
+
   // Regression test for ReDoS vulnerability (CVE-2025-68475)
   // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
   // With the vulnerable regex, this causes catastrophic backtracking

package/src/docloader.ts

@@ -12,6 +12,7 @@ import {
 import { UrlError, validatePublicUrl } from "./url.ts";
 
 const logger = getLogger(["fedify", "runtime", "docloader"]);
+const DEFAULT_MAX_REDIRECTION = 20;
 
 /**
  * A remote JSON-LD document and its context fetched by
@@ -292,38 +293,45 @@ export function getDocumentLoader(
   async function load(
     url: string,
     options?: DocumentLoaderOptions,
+    redirected = 0,
+    visited = new Set<string>(),
   ): Promise<RemoteDocument> {
     options?.signal?.throwIfAborted();
-    if (!skipPreloadedContexts && url in preloadedContexts) {
-      logger.debug("Using preloaded context: {url}.", { url });
+    const currentUrl = new URL(url).href;
+    if (!skipPreloadedContexts && currentUrl in preloadedContexts) {
+      logger.debug("Using preloaded context: {url}.", { url: currentUrl });
       return {
         contextUrl: null,
-        document: preloadedContexts[url],
-        documentUrl: url,
+        document: preloadedContexts[currentUrl],
+        documentUrl: currentUrl,
       };
     }
     if (!allowPrivateAddress) {
       try {
-        await validatePublicUrl(url);
+        await validatePublicUrl(currentUrl);
       } catch (error) {
         if (error instanceof UrlError) {
-          logger.error("Disallowed private URL: {url}", { url, error });
+          logger.error("Disallowed private URL: {url}", {
+            url: currentUrl,
+            error,
+          });
         }
         throw error;
       }
     }
+    visited.add(currentUrl);
 
     return await tracer.startActiveSpan(
       "activitypub.fetch_document",
       {
         kind: SpanKind.CLIENT,
         attributes: {
-          "url.full": url,
+          "url.full": currentUrl,
         },
       },
       async (span) => {
         try {
-          const request = createActivityPubRequest(url, { userAgent });
+          const request = createActivityPubRequest(currentUrl, { userAgent });
           logRequest(logger, request);
           const response = await fetch(request, {
             // Since Bun has a bug that ignores the `Request.redirect` option,
@@ -339,12 +347,36 @@ export function getDocumentLoader(
             response.status >= 300 && response.status < 400 &&
             response.headers.has("Location")
           ) {
-            const redirectUrl = response.headers.get("Location")!;
+            if (redirected >= DEFAULT_MAX_REDIRECTION) {
+              logger.error(
+                "Too many redirections ({redirections}) while fetching document.",
+                { redirections: redirected + 1, url: currentUrl },
+              );
+              throw new FetchError(
+                currentUrl,
+                `Too many redirections (${redirected + 1})`,
+              );
+            }
+            const redirectUrl = new URL(
+              response.headers.get("Location")!,
+              response.url === "" ? currentUrl : response.url,
+            ).href;
             span.setAttribute("http.redirect.url", redirectUrl);
-            return await load(redirectUrl, options);
+            if (visited.has(redirectUrl)) {
+              logger.error(
+                "Detected a redirect loop while fetching document: {url} -> " +
+                  "{redirectUrl}",
+                { url: currentUrl, redirectUrl },
+              );
+              throw new FetchError(
+                currentUrl,
+                `Redirect loop detected: ${redirectUrl}`,
+              );
+            }
+            return await load(redirectUrl, options, redirected + 1, visited);
           }
 
-          const result = await getRemoteDocument(url, response, load);
+          const result = await getRemoteDocument(currentUrl, response, load);
           span.setAttribute("docloader.document_url", result.documentUrl);
           if (result.contextUrl != null) {
             span.setAttribute("docloader.context_url", result.contextUrl);

package/dist/tests/request.test.js

@@ -1,43 +0,0 @@
-import { deno_default, getUserAgent } from "./request-BZixuWv5.js";
-import { deepStrictEqual } from "node:assert";
-import { test } from "node:test";
-import process from "node:process";
-
-//#region src/request.test.ts
-test("getUserAgent()", () => {
-	if ("Deno" in globalThis) {
-		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Deno/${Deno.version.deno})`);
-		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Deno/${Deno.version.deno})`);
-		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Deno/${Deno.version.deno}; +https://example.com/)`);
-		deepStrictEqual(getUserAgent({
-			software: "MyApp/1.0.0",
-			url: new URL("https://example.com/")
-		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Deno/${Deno.version.deno}; +https://example.com/)`);
-	} else if ("Bun" in globalThis) {
-		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Bun/${Bun.version})`);
-		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Bun/${Bun.version})`);
-		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Bun/${Bun.version}; +https://example.com/)`);
-		deepStrictEqual(getUserAgent({
-			software: "MyApp/1.0.0",
-			url: new URL("https://example.com/")
-		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Bun/${Bun.version}; +https://example.com/)`);
-	} else if (navigator.userAgent === "Cloudflare-Workers") {
-		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Cloudflare-Workers)`);
-		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Cloudflare-Workers)`);
-		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Cloudflare-Workers; +https://example.com/)`);
-		deepStrictEqual(getUserAgent({
-			software: "MyApp/1.0.0",
-			url: new URL("https://example.com/")
-		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Cloudflare-Workers; +https://example.com/)`);
-	} else {
-		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Node.js/${process.versions.node})`);
-		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Node.js/${process.versions.node})`);
-		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Node.js/${process.versions.node}; +https://example.com/)`);
-		deepStrictEqual(getUserAgent({
-			software: "MyApp/1.0.0",
-			url: new URL("https://example.com/")
-		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Node.js/${process.versions.node}; +https://example.com/)`);
-	}
-});
-
-//#endregion