@fedify/vocab-runtime 2.2.0-dev.606 → 2.2.0-dev.613

package/deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.2.0-dev.606+3a976326",
+  "version": "2.2.0-dev.613+cf8cd122",
   "license": "MIT",
   "exports": {
     ".": "./src/mod.ts",

package/dist/mod.cjs

@@ -4376,7 +4376,7 @@ var contexts_default = preloadedContexts;
 //#endregion
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.2.0-dev.606+3a976326";
+var version = "2.2.0-dev.613+cf8cd122";
 var license = "MIT";
 var exports$1 = {
 	".": "./src/mod.ts",
@@ -4735,6 +4735,7 @@ const logger = (0, __logtape_logtape.getLogger)([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -4850,34 +4851,37 @@ async function getRemoteDocument(url, response, fetch$1) {
 * @returns The document loader.
 * @since 1.3.0
 */
-function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
+function getDocumentLoader({ allowPrivateAddress, maxRedirection, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = __opentelemetry_api.trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	async function load(url, options) {
+	const maximumRedirection = maxRedirection ?? DEFAULT_MAX_REDIRECTION;
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await validatePublicUrl(url);
+			await validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: __opentelemetry_api.SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = createActivityPubRequest(url, { userAgent });
+				const request = createActivityPubRequest(currentUrl, { userAgent });
 				logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -4885,11 +4889,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= maximumRedirection) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;

package/dist/mod.d.cts

@@ -136,6 +136,12 @@ interface DocumentLoaderFactoryOptions {
   * If an object is given, it is passed to {@link getUserAgent} function.
   */
   userAgent?: GetUserAgentOptions | string;
+  /**
+  * The maximum number of redirections to follow.
+  * @default `20`
+  * @since 2.2.0
+  */
+  maxRedirection?: number;
 }
 /**
 * A factory function that creates an authenticated {@link DocumentLoader} for
@@ -190,6 +196,7 @@ interface GetDocumentLoaderOptions extends DocumentLoaderFactoryOptions {
 */
 declare function getDocumentLoader({
   allowPrivateAddress,
+  maxRedirection,
   skipPreloadedContexts,
   userAgent
 }?: GetDocumentLoaderOptions): DocumentLoader;

package/dist/mod.d.ts

@@ -136,6 +136,12 @@ interface DocumentLoaderFactoryOptions {
   * If an object is given, it is passed to {@link getUserAgent} function.
   */
   userAgent?: GetUserAgentOptions | string;
+  /**
+  * The maximum number of redirections to follow.
+  * @default `20`
+  * @since 2.2.0
+  */
+  maxRedirection?: number;
 }
 /**
 * A factory function that creates an authenticated {@link DocumentLoader} for
@@ -190,6 +196,7 @@ interface GetDocumentLoaderOptions extends DocumentLoaderFactoryOptions {
 */
 declare function getDocumentLoader({
   allowPrivateAddress,
+  maxRedirection,
   skipPreloadedContexts,
   userAgent
 }?: GetDocumentLoaderOptions): DocumentLoader;

package/dist/mod.js

@@ -4375,7 +4375,7 @@ var contexts_default = preloadedContexts;
 //#endregion
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.2.0-dev.606+3a976326";
+var version = "2.2.0-dev.613+cf8cd122";
 var license = "MIT";
 var exports = {
 	".": "./src/mod.ts",
@@ -4734,6 +4734,7 @@ const logger = getLogger([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -4849,34 +4850,37 @@ async function getRemoteDocument(url, response, fetch$1) {
 * @returns The document loader.
 * @since 1.3.0
 */
-function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
+function getDocumentLoader({ allowPrivateAddress, maxRedirection, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	async function load(url, options) {
+	const maximumRedirection = maxRedirection ?? DEFAULT_MAX_REDIRECTION;
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await validatePublicUrl(url);
+			await validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = createActivityPubRequest(url, { userAgent });
+				const request = createActivityPubRequest(currentUrl, { userAgent });
 				logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -4884,11 +4888,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= maximumRedirection) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;

package/dist/tests/decimal.test.cjs

@@ -1,6 +1,6 @@
 const require_chunk = require('./chunk-DWy1uDak.cjs');
-require('./docloader-BVqyre7B.cjs');
-require('./request-CvhpFknJ.cjs');
+require('./docloader-txRGFv1x.cjs');
+require('./request-73FIhAHw.cjs');
 require('./link-DYNFAdNu.cjs');
 require('./url-DIjOdK8Q.cjs');
 require('./multicodec--6hQ74zI.cjs');

package/dist/tests/decimal.test.js

@@ -1,5 +1,5 @@
-import "./docloader-Ch--TwSL.js";
-import "./request-DHlP8Ayx.js";
+import "./docloader-DEi540Xh.js";
+import "./request-BO6hGoBJ.js";
 import "./link-C3q2TC2G.js";
 import "./url-CWEP9Zs9.js";
 import "./multicodec-Dq3IiOV4.js";

package/dist/tests/{docloader-Ch--TwSL.js → docloader-DEi540Xh.js}

@@ -1,4 +1,4 @@
-import { FetchError, createActivityPubRequest, deno_default, logRequest } from "./request-DHlP8Ayx.js";
+import { FetchError, createActivityPubRequest, deno_default, logRequest } from "./request-BO6hGoBJ.js";
 import { HttpHeaderLink } from "./link-C3q2TC2G.js";
 import { UrlError, validatePublicUrl } from "./url-CWEP9Zs9.js";
 import { getLogger } from "@logtape/logtape";
@@ -4373,6 +4373,7 @@ const logger = getLogger([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -4488,34 +4489,37 @@ async function getRemoteDocument(url, response, fetch$1) {
 * @returns The document loader.
 * @since 1.3.0
 */
-function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
+function getDocumentLoader({ allowPrivateAddress, maxRedirection, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
-	async function load(url, options) {
+	const maximumRedirection = maxRedirection ?? DEFAULT_MAX_REDIRECTION;
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await validatePublicUrl(url);
+			await validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = createActivityPubRequest(url, { userAgent });
+				const request = createActivityPubRequest(currentUrl, { userAgent });
 				logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -4523,11 +4527,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= maximumRedirection) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;

package/dist/tests/{docloader-BVqyre7B.cjs → docloader-txRGFv1x.cjs}

@@ -1,5 +1,5 @@
 const require_chunk = require('./chunk-DWy1uDak.cjs');
-const require_request = require('./request-CvhpFknJ.cjs');
+const require_request = require('./request-73FIhAHw.cjs');
 const require_link = require('./link-DYNFAdNu.cjs');
 const require_url = require('./url-DIjOdK8Q.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
@@ -4374,6 +4374,7 @@ const logger = (0, __logtape_logtape.getLogger)([
 	"runtime",
 	"docloader"
 ]);
+const DEFAULT_MAX_REDIRECTION = 20;
 /**
 * Gets a {@link RemoteDocument} from the given response.
 * @param url The URL of the document to load.
@@ -4489,34 +4490,37 @@ async function getRemoteDocument(url, response, fetch$1) {
 * @returns The document loader.
 * @since 1.3.0
 */
-function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAgent } = {}) {
+function getDocumentLoader({ allowPrivateAddress, maxRedirection, skipPreloadedContexts, userAgent } = {}) {
 	const tracerProvider = __opentelemetry_api.trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
-	async function load(url, options) {
+	const maximumRedirection = maxRedirection ?? DEFAULT_MAX_REDIRECTION;
+	async function load(url, options, redirected = 0, visited = /* @__PURE__ */ new Set()) {
 		options?.signal?.throwIfAborted();
-		if (!skipPreloadedContexts && url in contexts_default) {
-			logger.debug("Using preloaded context: {url}.", { url });
+		const currentUrl = new URL(url).href;
+		if (!skipPreloadedContexts && currentUrl in contexts_default) {
+			logger.debug("Using preloaded context: {url}.", { url: currentUrl });
 			return {
 				contextUrl: null,
-				document: contexts_default[url],
-				documentUrl: url
+				document: contexts_default[currentUrl],
+				documentUrl: currentUrl
 			};
 		}
 		if (!allowPrivateAddress) try {
-			await require_url.validatePublicUrl(url);
+			await require_url.validatePublicUrl(currentUrl);
 		} catch (error) {
 			if (error instanceof require_url.UrlError) logger.error("Disallowed private URL: {url}", {
-				url,
+				url: currentUrl,
 				error
 			});
 			throw error;
 		}
+		visited.add(currentUrl);
 		return await tracer.startActiveSpan("activitypub.fetch_document", {
 			kind: __opentelemetry_api.SpanKind.CLIENT,
-			attributes: { "url.full": url }
+			attributes: { "url.full": currentUrl }
 		}, async (span) => {
 			try {
-				const request = require_request.createActivityPubRequest(url, { userAgent });
+				const request = require_request.createActivityPubRequest(currentUrl, { userAgent });
 				require_request.logRequest(logger, request);
 				const response = await fetch(request, {
 					redirect: "manual",
@@ -4524,11 +4528,25 @@ function getDocumentLoader({ allowPrivateAddress, skipPreloadedContexts, userAge
 				});
 				span.setAttribute("http.response.status_code", response.status);
 				if (response.status >= 300 && response.status < 400 && response.headers.has("Location")) {
-					const redirectUrl = response.headers.get("Location");
+					if (redirected >= maximumRedirection) {
+						logger.error("Too many redirections ({redirections}) while fetching document.", {
+							redirections: redirected + 1,
+							url: currentUrl
+						});
+						throw new require_request.FetchError(currentUrl, `Too many redirections (${redirected + 1})`);
+					}
+					const redirectUrl = new URL(response.headers.get("Location"), response.url === "" ? currentUrl : response.url).href;
 					span.setAttribute("http.redirect.url", redirectUrl);
-					return await load(redirectUrl, options);
+					if (visited.has(redirectUrl)) {
+						logger.error("Detected a redirect loop while fetching document: {url} -> {redirectUrl}", {
+							url: currentUrl,
+							redirectUrl
+						});
+						throw new require_request.FetchError(currentUrl, `Redirect loop detected: ${redirectUrl}`);
+					}
+					return await load(redirectUrl, options, redirected + 1, visited);
 				}
-				const result = await getRemoteDocument(url, response, load);
+				const result = await getRemoteDocument(currentUrl, response, load);
 				span.setAttribute("docloader.document_url", result.documentUrl);
 				if (result.contextUrl != null) span.setAttribute("docloader.context_url", result.contextUrl);
 				return result;

package/dist/tests/docloader.test.cjs

@@ -1,6 +1,6 @@
 const require_chunk = require('./chunk-DWy1uDak.cjs');
-const require_docloader = require('./docloader-BVqyre7B.cjs');
-const require_request = require('./request-CvhpFknJ.cjs');
+const require_docloader = require('./docloader-txRGFv1x.cjs');
+const require_request = require('./request-73FIhAHw.cjs');
 require('./link-DYNFAdNu.cjs');
 const require_url = require('./url-DIjOdK8Q.cjs');
 const node_assert = require_chunk.__toESM(require("node:assert"));
@@ -1512,6 +1512,59 @@ var esm_default = FetchMock_default;
 		(0, node_assert.deepStrictEqual)(await fetchDocumentLoader2("https://example.com/localhost-redirect"), expected);
 		(0, node_assert.deepStrictEqual)(await fetchDocumentLoader2("https://example.com/localhost-link"), expected);
 	});
+	let redirectAttempts = 0;
+	esm_default.get("begin:https://example.com/too-many-redirects/", (cl) => {
+		redirectAttempts++;
+		const index = Number(cl.url.split("/").at(-1));
+		return {
+			status: 302,
+			headers: { Location: `https://example.com/too-many-redirects/${index + 1}` }
+		};
+	});
+	await t.test("too many redirects", async () => {
+		redirectAttempts = 0;
+		await (0, node_assert.rejects)(() => fetchDocumentLoader("https://example.com/too-many-redirects/0"), require_request.FetchError, "Too many redirections");
+		(0, node_assert.deepStrictEqual)(redirectAttempts, 21);
+	});
+	await t.test("custom max redirection", async () => {
+		redirectAttempts = 0;
+		const loader = require_docloader.getDocumentLoader({ maxRedirection: 1 });
+		await (0, node_assert.rejects)(() => loader("https://example.com/too-many-redirects/0"), require_request.FetchError, "Too many redirections");
+		(0, node_assert.deepStrictEqual)(redirectAttempts, 2);
+	});
+	let loopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-a", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-b" }
+		};
+	});
+	esm_default.get("https://example.com/redirect-loop-b", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-a" }
+		};
+	});
+	await t.test("redirect loop", async () => {
+		loopAttempts = 0;
+		await (0, node_assert.rejects)(() => fetchDocumentLoader("https://example.com/redirect-loop-a"), require_request.FetchError, "Redirect loop detected");
+		(0, node_assert.deepStrictEqual)(loopAttempts, 2);
+	});
+	let relativeLoopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-relative", () => {
+		relativeLoopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "/redirect-loop-relative" }
+		};
+	});
+	await t.test("redirect loop with relative location", async () => {
+		relativeLoopAttempts = 0;
+		await (0, node_assert.rejects)(() => fetchDocumentLoader("https://example.com/redirect-loop-relative"), require_request.FetchError, "Redirect loop detected");
+		(0, node_assert.deepStrictEqual)(relativeLoopAttempts, 1);
+	});
 	const maliciousPayload = "<a" + " a=\"b\"".repeat(30) + " ";
 	esm_default.get("https://example.com/redos", {
 		body: maliciousPayload,

package/dist/tests/docloader.test.js

@@ -1,5 +1,5 @@
-import { contexts_default, getDocumentLoader } from "./docloader-Ch--TwSL.js";
-import { FetchError } from "./request-DHlP8Ayx.js";
+import { contexts_default, getDocumentLoader } from "./docloader-DEi540Xh.js";
+import { FetchError } from "./request-BO6hGoBJ.js";
 import "./link-C3q2TC2G.js";
 import { UrlError } from "./url-CWEP9Zs9.js";
 import "node:module";
@@ -1538,6 +1538,59 @@ test("getDocumentLoader()", async (t) => {
 		deepStrictEqual(await fetchDocumentLoader2("https://example.com/localhost-redirect"), expected);
 		deepStrictEqual(await fetchDocumentLoader2("https://example.com/localhost-link"), expected);
 	});
+	let redirectAttempts = 0;
+	esm_default.get("begin:https://example.com/too-many-redirects/", (cl) => {
+		redirectAttempts++;
+		const index = Number(cl.url.split("/").at(-1));
+		return {
+			status: 302,
+			headers: { Location: `https://example.com/too-many-redirects/${index + 1}` }
+		};
+	});
+	await t.test("too many redirects", async () => {
+		redirectAttempts = 0;
+		await rejects(() => fetchDocumentLoader("https://example.com/too-many-redirects/0"), FetchError, "Too many redirections");
+		deepStrictEqual(redirectAttempts, 21);
+	});
+	await t.test("custom max redirection", async () => {
+		redirectAttempts = 0;
+		const loader = getDocumentLoader({ maxRedirection: 1 });
+		await rejects(() => loader("https://example.com/too-many-redirects/0"), FetchError, "Too many redirections");
+		deepStrictEqual(redirectAttempts, 2);
+	});
+	let loopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-a", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-b" }
+		};
+	});
+	esm_default.get("https://example.com/redirect-loop-b", () => {
+		loopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "https://example.com/redirect-loop-a" }
+		};
+	});
+	await t.test("redirect loop", async () => {
+		loopAttempts = 0;
+		await rejects(() => fetchDocumentLoader("https://example.com/redirect-loop-a"), FetchError, "Redirect loop detected");
+		deepStrictEqual(loopAttempts, 2);
+	});
+	let relativeLoopAttempts = 0;
+	esm_default.get("https://example.com/redirect-loop-relative", () => {
+		relativeLoopAttempts++;
+		return {
+			status: 302,
+			headers: { Location: "/redirect-loop-relative" }
+		};
+	});
+	await t.test("redirect loop with relative location", async () => {
+		relativeLoopAttempts = 0;
+		await rejects(() => fetchDocumentLoader("https://example.com/redirect-loop-relative"), FetchError, "Redirect loop detected");
+		deepStrictEqual(relativeLoopAttempts, 1);
+	});
 	const maliciousPayload = "<a" + " a=\"b\"".repeat(30) + " ";
 	esm_default.get("https://example.com/redos", {
 		body: maliciousPayload,

package/dist/tests/{request-CvhpFknJ.cjs → request-73FIhAHw.cjs}

@@ -3,7 +3,7 @@ const node_process = require_chunk.__toESM(require("node:process"));
 
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.2.0-dev.606+3a976326";
+var version = "2.2.0-dev.613+cf8cd122";
 var license = "MIT";
 var exports$1 = {
 	".": "./src/mod.ts",

package/dist/tests/{request-DHlP8Ayx.js → request-BO6hGoBJ.js}

@@ -2,7 +2,7 @@ import process from "node:process";
 
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.2.0-dev.606+3a976326";
+var version = "2.2.0-dev.613+cf8cd122";
 var license = "MIT";
 var exports = {
 	".": "./src/mod.ts",

package/dist/tests/request.test.cjs

@@ -1,5 +1,5 @@
 const require_chunk = require('./chunk-DWy1uDak.cjs');
-const require_request = require('./request-CvhpFknJ.cjs');
+const require_request = require('./request-73FIhAHw.cjs');
 const node_assert = require_chunk.__toESM(require("node:assert"));
 const node_test = require_chunk.__toESM(require("node:test"));
 const node_process = require_chunk.__toESM(require("node:process"));

package/dist/tests/request.test.js

@@ -1,4 +1,4 @@
-import { deno_default, getUserAgent } from "./request-DHlP8Ayx.js";
+import { deno_default, getUserAgent } from "./request-BO6hGoBJ.js";
 import { deepStrictEqual } from "node:assert";
 import { test } from "node:test";
 import process from "node:process";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.2.0-dev.606+3a976326",
+  "version": "2.2.0-dev.613+cf8cd122",
   "homepage": "https://fedify.dev/",
   "repository": {
     "type": "git",

package/src/docloader.test.ts

@@ -369,6 +369,84 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  let redirectAttempts = 0;
+  fetchMock.get("begin:https://example.com/too-many-redirects/", (cl) => {
+    redirectAttempts++;
+    const index = Number(cl.url.split("/").at(-1));
+    return {
+      status: 302,
+      headers: {
+        Location: `https://example.com/too-many-redirects/${index + 1}`,
+      },
+    };
+  });
+
+  await t.test("too many redirects", async () => {
+    redirectAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/too-many-redirects/0"),
+      FetchError,
+      "Too many redirections",
+    );
+    deepStrictEqual(redirectAttempts, 21);
+  });
+
+  await t.test("custom max redirection", async () => {
+    redirectAttempts = 0;
+    const loader = getDocumentLoader({ maxRedirection: 1 });
+    await rejects(
+      () => loader("https://example.com/too-many-redirects/0"),
+      FetchError,
+      "Too many redirections",
+    );
+    deepStrictEqual(redirectAttempts, 2);
+  });
+
+  let loopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-a", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-b" },
+    };
+  });
+  fetchMock.get("https://example.com/redirect-loop-b", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-a" },
+    };
+  });
+
+  await t.test("redirect loop", async () => {
+    loopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-a"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(loopAttempts, 2);
+  });
+
+  let relativeLoopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-relative", () => {
+    relativeLoopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "/redirect-loop-relative" },
+    };
+  });
+
+  await t.test("redirect loop with relative location", async () => {
+    relativeLoopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-relative"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(relativeLoopAttempts, 1);
+  });
+
   // Regression test for ReDoS vulnerability (CVE-2025-68475)
   // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
   // With the vulnerable regex, this causes catastrophic backtracking

package/src/docloader.ts

@@ -12,6 +12,7 @@ import {
 import { UrlError, validatePublicUrl } from "./url.ts";
 
 const logger = getLogger(["fedify", "runtime", "docloader"]);
+const DEFAULT_MAX_REDIRECTION = 20;
 
 /**
  * A remote JSON-LD document and its context fetched by
@@ -87,6 +88,13 @@ export interface DocumentLoaderFactoryOptions {
    * If an object is given, it is passed to {@link getUserAgent} function.
    */
   userAgent?: GetUserAgentOptions | string;
+
+  /**
+   * The maximum number of redirections to follow.
+   * @default `20`
+   * @since 2.2.0
+   */
+  maxRedirection?: number;
 }
 
 /**
@@ -284,47 +292,55 @@ export interface GetDocumentLoaderOptions extends DocumentLoaderFactoryOptions {
  * @since 1.3.0
  */
 export function getDocumentLoader(
-  { allowPrivateAddress, skipPreloadedContexts, userAgent }:
+  { allowPrivateAddress, maxRedirection, skipPreloadedContexts, userAgent }:
     GetDocumentLoaderOptions = {},
 ): DocumentLoader {
   const tracerProvider = trace.getTracerProvider();
   const tracer = tracerProvider.getTracer(metadata.name, metadata.version);
+  const maximumRedirection = maxRedirection ?? DEFAULT_MAX_REDIRECTION;
 
   async function load(
     url: string,
     options?: DocumentLoaderOptions,
+    redirected = 0,
+    visited = new Set<string>(),
   ): Promise<RemoteDocument> {
     options?.signal?.throwIfAborted();
-    if (!skipPreloadedContexts && url in preloadedContexts) {
-      logger.debug("Using preloaded context: {url}.", { url });
+    const currentUrl = new URL(url).href;
+    if (!skipPreloadedContexts && currentUrl in preloadedContexts) {
+      logger.debug("Using preloaded context: {url}.", { url: currentUrl });
       return {
         contextUrl: null,
-        document: preloadedContexts[url],
-        documentUrl: url,
+        document: preloadedContexts[currentUrl],
+        documentUrl: currentUrl,
       };
     }
     if (!allowPrivateAddress) {
       try {
-        await validatePublicUrl(url);
+        await validatePublicUrl(currentUrl);
       } catch (error) {
         if (error instanceof UrlError) {
-          logger.error("Disallowed private URL: {url}", { url, error });
+          logger.error("Disallowed private URL: {url}", {
+            url: currentUrl,
+            error,
+          });
         }
         throw error;
       }
     }
+    visited.add(currentUrl);
 
     return await tracer.startActiveSpan(
       "activitypub.fetch_document",
       {
         kind: SpanKind.CLIENT,
         attributes: {
-          "url.full": url,
+          "url.full": currentUrl,
         },
       },
       async (span) => {
         try {
-          const request = createActivityPubRequest(url, { userAgent });
+          const request = createActivityPubRequest(currentUrl, { userAgent });
           logRequest(logger, request);
           const response = await fetch(request, {
             // Since Bun has a bug that ignores the `Request.redirect` option,
@@ -340,12 +356,36 @@ export function getDocumentLoader(
             response.status >= 300 && response.status < 400 &&
             response.headers.has("Location")
           ) {
-            const redirectUrl = response.headers.get("Location")!;
+            if (redirected >= maximumRedirection) {
+              logger.error(
+                "Too many redirections ({redirections}) while fetching document.",
+                { redirections: redirected + 1, url: currentUrl },
+              );
+              throw new FetchError(
+                currentUrl,
+                `Too many redirections (${redirected + 1})`,
+              );
+            }
+            const redirectUrl = new URL(
+              response.headers.get("Location")!,
+              response.url === "" ? currentUrl : response.url,
+            ).href;
             span.setAttribute("http.redirect.url", redirectUrl);
-            return await load(redirectUrl, options);
+            if (visited.has(redirectUrl)) {
+              logger.error(
+                "Detected a redirect loop while fetching document: {url} -> " +
+                  "{redirectUrl}",
+                { url: currentUrl, redirectUrl },
+              );
+              throw new FetchError(
+                currentUrl,
+                `Redirect loop detected: ${redirectUrl}`,
+              );
+            }
+            return await load(redirectUrl, options, redirected + 1, visited);
           }
 
-          const result = await getRemoteDocument(url, response, load);
+          const result = await getRemoteDocument(currentUrl, response, load);
           span.setAttribute("docloader.document_url", result.documentUrl);
           if (result.contextUrl != null) {
             span.setAttribute("docloader.context_url", result.contextUrl);