@fedify/vocab-runtime 2.4.0-dev.1508 → 2.4.0-dev.1531

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/deno.json +2 -1
  2. package/dist/docloader-DnUMWHaJ.d.cts +202 -0
  3. package/dist/docloader-xRGn1azD.d.ts +202 -0
  4. package/dist/internal/jsonld-cache.cjs +279 -0
  5. package/dist/internal/jsonld-cache.d.cts +48 -0
  6. package/dist/internal/jsonld-cache.d.ts +48 -0
  7. package/dist/internal/jsonld-cache.js +275 -0
  8. package/dist/mod.cjs +85 -190
  9. package/dist/mod.d.cts +18 -200
  10. package/dist/mod.d.ts +18 -200
  11. package/dist/mod.js +75 -184
  12. package/dist/tests/decimal.test.cjs +2 -2
  13. package/dist/tests/decimal.test.mjs +2 -2
  14. package/dist/tests/{docloader-0m6FCm4u.mjs → docloader-Bfj7NaT_.mjs} +75 -10
  15. package/dist/tests/{docloader-60uMNsd3.cjs → docloader-Cvdl8PIZ.cjs} +80 -9
  16. package/dist/tests/docloader.test.cjs +58 -6
  17. package/dist/tests/docloader.test.mjs +58 -6
  18. package/dist/tests/jsonld-cache.test.cjs +652 -0
  19. package/dist/tests/jsonld-cache.test.d.cts +1 -0
  20. package/dist/tests/jsonld-cache.test.d.mts +1 -0
  21. package/dist/tests/jsonld-cache.test.mjs +651 -0
  22. package/dist/tests/{request-CO5esooK.mjs → request-B5Su2gl0.mjs} +1 -1
  23. package/dist/tests/{request-CcBmdgDa.cjs → request-DJvOZdo7.cjs} +1 -1
  24. package/dist/tests/request.test.cjs +1 -1
  25. package/dist/tests/request.test.mjs +1 -1
  26. package/dist/tests/{url-C20FhC7p.cjs → url-2XwVbUS_.cjs} +108 -0
  27. package/dist/tests/{url-m9Qzxy-Y.mjs → url-YWJbnRlf.mjs} +85 -1
  28. package/dist/tests/url.test.cjs +104 -1
  29. package/dist/tests/url.test.mjs +105 -2
  30. package/dist/url-BAdyyqAa.cjs +315 -0
  31. package/dist/url-BuxPHxK2.js +261 -0
  32. package/package.json +11 -1
  33. package/src/docloader.test.ts +102 -6
  34. package/src/docloader.ts +76 -8
  35. package/src/internal/jsonld-cache.ts +538 -0
  36. package/src/jsonld-cache.test.ts +554 -0
  37. package/src/mod.ts +4 -0
  38. package/src/url.test.ts +252 -1
  39. package/src/url.ts +141 -0
  40. package/tsdown.config.ts +6 -1
@@ -2,7 +2,7 @@ import fetchMock from "fetch-mock";
2
2
  import { deepStrictEqual, ok, rejects } from "node:assert";
3
3
  import { test } from "node:test";
4
4
  import preloadedContexts from "./contexts.ts";
5
- import { getDocumentLoader } from "./docloader.ts";
5
+ import { getDocumentLoader, getRemoteDocument } from "./docloader.ts";
6
6
  import { FetchError } from "./request.ts";
7
7
  import { UrlError } from "./url.ts";
8
8
 
@@ -90,7 +90,7 @@ test("getDocumentLoader()", async (t) => {
90
90
  type: "Object",
91
91
  },
92
92
  headers: {
93
- "Content-Type": "text/html; charset=utf-8",
93
+ "Content-Type": "application/activity+json",
94
94
  Link: '<https://example.com/object>; rel="alternate"; ' +
95
95
  'type="application/ld+json; profile="https://www.w3.org/ns/activitystreams""',
96
96
  },
@@ -247,6 +247,44 @@ test("getDocumentLoader()", async (t) => {
247
247
  });
248
248
  });
249
249
 
250
+ fetchMock.get("https://example.com/html-no-alternate", {
251
+ body: `<!DOCTYPE html>
252
+ <html>
253
+ <head>
254
+ <title>Not an ActivityPub document</title>
255
+ </head>
256
+ <body>Not found</body>
257
+ </html>`,
258
+ headers: { "Content-Type": "text/html; charset=utf-8" },
259
+ });
260
+
261
+ await t.test("HTML without ActivityPub alternate link", async () => {
262
+ await rejects(
263
+ () => fetchDocumentLoader("https://example.com/html-no-alternate"),
264
+ (error) => {
265
+ ok(error instanceof FetchError);
266
+ ok(
267
+ error.message.includes(
268
+ "HTML document has no ActivityPub alternate link",
269
+ ),
270
+ );
271
+ ok(
272
+ error.message.includes("Content-Type: text/html; charset=utf-8"),
273
+ );
274
+ deepStrictEqual(
275
+ error.url,
276
+ new URL("https://example.com/html-no-alternate"),
277
+ );
278
+ ok(error.response != null);
279
+ deepStrictEqual(
280
+ error.response.headers.get("Content-Type"),
281
+ "text/html; charset=utf-8",
282
+ );
283
+ return true;
284
+ },
285
+ );
286
+ });
287
+
250
288
  fetchMock.get("https://example.com/wrong-content-type", {
251
289
  body: {
252
290
  "@context": "https://www.w3.org/ns/activitystreams",
@@ -257,7 +295,7 @@ test("getDocumentLoader()", async (t) => {
257
295
  headers: { "Content-Type": "text/html; charset=utf-8" },
258
296
  });
259
297
 
260
- await t.test("Wrong Content-Type", async () => {
298
+ await t.test("wrong Content-Type with JSON body", async () => {
261
299
  deepStrictEqual(
262
300
  await fetchDocumentLoader("https://example.com/wrong-content-type"),
263
301
  {
@@ -273,6 +311,64 @@ test("getDocumentLoader()", async (t) => {
273
311
  );
274
312
  });
275
313
 
314
+ fetchMock.get("https://example.com/large-html", {
315
+ body: "<!DOCTYPE html>",
316
+ headers: {
317
+ "Content-Length": String(1024 * 1024 + 1),
318
+ "Content-Type": "text/html; charset=utf-8",
319
+ },
320
+ });
321
+
322
+ await t.test("HTML Content-Length over limit", async () => {
323
+ await rejects(
324
+ () => fetchDocumentLoader("https://example.com/large-html"),
325
+ (error) => {
326
+ ok(error instanceof FetchError);
327
+ ok(
328
+ error.message.includes(
329
+ "HTML document is too large to scan for an ActivityPub alternate link",
330
+ ),
331
+ );
332
+ ok(error.response != null);
333
+ deepStrictEqual(error.response.status, 200);
334
+ deepStrictEqual(
335
+ error.response.headers.get("Content-Type"),
336
+ "text/html; charset=utf-8",
337
+ );
338
+ return true;
339
+ },
340
+ );
341
+ });
342
+
343
+ await t.test("HTML Content-Length over limit cancels body", async () => {
344
+ let canceled = false;
345
+ const response = new Response("<!DOCTYPE html>", {
346
+ headers: {
347
+ "Content-Length": String(1024 * 1024 + 1),
348
+ "Content-Type": "text/html; charset=utf-8",
349
+ },
350
+ });
351
+ Object.defineProperty(response, "body", {
352
+ value: {
353
+ cancel: () => {
354
+ canceled = true;
355
+ },
356
+ },
357
+ });
358
+ await rejects(
359
+ () =>
360
+ getRemoteDocument(
361
+ "https://example.com/large-html-cancel",
362
+ response,
363
+ () => {
364
+ throw new Error("unexpected alternate fetch");
365
+ },
366
+ ),
367
+ FetchError,
368
+ );
369
+ deepStrictEqual(canceled, true);
370
+ });
371
+
276
372
  fetchMock.get("https://example.com/404", { status: 404 });
277
373
 
278
374
  await t.test("not ok", async () => {
@@ -459,11 +555,11 @@ test("getDocumentLoader()", async (t) => {
459
555
 
460
556
  await t.test("ReDoS resistance (CVE-2025-68475)", async () => {
461
557
  const start = performance.now();
462
- // The malicious HTML will fail JSON parsing, but the important thing is
463
- // that it should complete quickly (not hang due to ReDoS)
558
+ // The malicious HTML will fail alternate discovery, but the important
559
+ // thing is that it should complete quickly (not hang due to ReDoS).
464
560
  await rejects(
465
561
  () => fetchDocumentLoader("https://example.com/redos"),
466
- SyntaxError,
562
+ FetchError,
467
563
  );
468
564
  const elapsed = performance.now() - start;
469
565
 
package/src/docloader.ts CHANGED
@@ -13,6 +13,7 @@ import { UrlError, validatePublicUrl } from "./url.ts";
13
13
 
14
14
  const logger = getLogger(["fedify", "runtime", "docloader"]);
15
15
  const DEFAULT_MAX_REDIRECTION = 20;
16
+ const MAX_HTML_SIZE = 1024 * 1024; // 1MB
16
17
 
17
18
  /**
18
19
  * A remote JSON-LD document and its context fetched by
@@ -112,6 +113,59 @@ export type AuthenticatedDocumentLoaderFactory = (
112
113
  options?: DocumentLoaderFactoryOptions,
113
114
  ) => DocumentLoader;
114
115
 
116
+ function createResponseMetadata(response: Response): Response {
117
+ return new Response(null, {
118
+ headers: response.headers,
119
+ status: response.status,
120
+ statusText: response.statusText,
121
+ });
122
+ }
123
+
124
+ async function cancelResponseBody(response: Response): Promise<void> {
125
+ if (response.body != null) {
126
+ await response.body.cancel();
127
+ }
128
+ }
129
+
130
+ async function readBoundedText(
131
+ response: Response,
132
+ maxBytes: number,
133
+ ): Promise<{ text: string; size: number; tooLarge: boolean }> {
134
+ const contentLength = response.headers.get("Content-Length");
135
+ if (contentLength != null) {
136
+ const size = Number(contentLength);
137
+ if (size > maxBytes) {
138
+ await cancelResponseBody(response);
139
+ return { text: "", size, tooLarge: true };
140
+ }
141
+ }
142
+
143
+ if (response.body == null) return { text: "", size: 0, tooLarge: false };
144
+
145
+ const reader = response.body.getReader();
146
+ const decoder = new TextDecoder();
147
+ let text = "";
148
+ let size = 0;
149
+ try {
150
+ while (true) {
151
+ const result = await reader.read();
152
+ if (result.done) break;
153
+ const chunkSize = result.value.byteLength;
154
+ if (size + chunkSize > maxBytes) {
155
+ size += chunkSize;
156
+ await reader.cancel();
157
+ return { text: "", size, tooLarge: true };
158
+ }
159
+ size += chunkSize;
160
+ text += decoder.decode(result.value, { stream: true });
161
+ }
162
+ text += decoder.decode();
163
+ return { text, size, tooLarge: false };
164
+ } finally {
165
+ reader.releaseLock();
166
+ }
167
+ }
168
+
115
169
  /**
116
170
  * Gets a {@link RemoteDocument} from the given response.
117
171
  * @param url The URL of the document to load.
@@ -200,15 +254,19 @@ export async function getRemoteDocument(
200
254
  contentType === "application/xhtml+xml" ||
201
255
  contentType?.startsWith("application/xhtml+xml;"))
202
256
  ) {
203
- // Security: Limit HTML response size to mitigate ReDoS attacks
204
- const MAX_HTML_SIZE = 1024 * 1024; // 1MB
205
- const html = await response.text();
206
- if (html.length > MAX_HTML_SIZE) {
257
+ const errorResponse = createResponseMetadata(response);
258
+ const html = await readBoundedText(response, MAX_HTML_SIZE);
259
+ if (html.tooLarge) {
207
260
  logger.warn(
208
261
  "HTML response too large, skipping alternate link discovery: {url}",
209
- { url: documentUrl, size: html.length },
262
+ { url: documentUrl, size: html.size },
263
+ );
264
+ throw new FetchError(
265
+ documentUrl,
266
+ `HTML document is too large to scan for an ActivityPub alternate link ` +
267
+ `(Content-Type: ${contentType})`,
268
+ errorResponse,
210
269
  );
211
- document = JSON.parse(html);
212
270
  } else {
213
271
  // Safe regex patterns without nested quantifiers to prevent ReDoS
214
272
  // (CVE-2025-68475)
@@ -219,7 +277,7 @@ export async function getRemoteDocument(
219
277
  /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
220
278
 
221
279
  let tagMatch: RegExpExecArray | null;
222
- while ((tagMatch = tagPattern.exec(html)) !== null) {
280
+ while ((tagMatch = tagPattern.exec(html.text)) !== null) {
223
281
  const tagContent = tagMatch[2];
224
282
  let attrMatch: RegExpExecArray | null;
225
283
  const attribs: Record<string, string> = {};
@@ -247,7 +305,17 @@ export async function getRemoteDocument(
247
305
  return await fetch(new URL(attribs.href, docUrl).href);
248
306
  }
249
307
  }
250
- document = JSON.parse(html);
308
+ try {
309
+ document = JSON.parse(html.text);
310
+ } catch (error) {
311
+ if (!(error instanceof SyntaxError)) throw error;
312
+ throw new FetchError(
313
+ documentUrl,
314
+ `HTML document has no ActivityPub alternate link ` +
315
+ `(Content-Type: ${contentType})`,
316
+ errorResponse,
317
+ );
318
+ }
251
319
  }
252
320
  } else {
253
321
  document = await response.json();