@fedify/vocab-runtime 2.4.0-dev.1570 → 2.4.0-dev.1571

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/deno.json +2 -1
  2. package/dist/docloader-DnUMWHaJ.d.cts +202 -0
  3. package/dist/docloader-xRGn1azD.d.ts +202 -0
  4. package/dist/internal/jsonld-cache.cjs +279 -0
  5. package/dist/internal/jsonld-cache.d.cts +48 -0
  6. package/dist/internal/jsonld-cache.d.ts +48 -0
  7. package/dist/internal/jsonld-cache.js +275 -0
  8. package/dist/mod.cjs +178 -190
  9. package/dist/mod.d.cts +59 -190
  10. package/dist/mod.d.ts +59 -190
  11. package/dist/mod.js +165 -184
  12. package/dist/tests/decimal.test.cjs +3 -3
  13. package/dist/tests/decimal.test.mjs +3 -3
  14. package/dist/tests/{docloader-C76ldE5C.mjs → docloader-DHSAmRW2.mjs} +97 -10
  15. package/dist/tests/{docloader-mvgIWKI7.cjs → docloader-DkiPIIAk.cjs} +102 -9
  16. package/dist/tests/docloader.test.cjs +58 -6
  17. package/dist/tests/docloader.test.mjs +58 -6
  18. package/dist/tests/jsonld-cache.test.cjs +652 -0
  19. package/dist/tests/jsonld-cache.test.d.cts +1 -0
  20. package/dist/tests/jsonld-cache.test.d.mts +1 -0
  21. package/dist/tests/jsonld-cache.test.mjs +651 -0
  22. package/dist/tests/{key-CrrK9mYh.mjs → key-CDGDH_vC.mjs} +69 -1
  23. package/dist/tests/{key-pMmqUKuo.cjs → key-_wXwomh_.cjs} +86 -0
  24. package/dist/tests/key.test.cjs +48 -1
  25. package/dist/tests/key.test.mjs +48 -1
  26. package/dist/tests/{request-BEXkv1ul.mjs → request-CYFeP37O.mjs} +1 -1
  27. package/dist/tests/{request-SworbvLc.cjs → request-D3H8nWtX.cjs} +1 -1
  28. package/dist/tests/request.test.cjs +1 -1
  29. package/dist/tests/request.test.mjs +1 -1
  30. package/dist/tests/{url-C20FhC7p.cjs → url-2XwVbUS_.cjs} +108 -0
  31. package/dist/tests/{url-m9Qzxy-Y.mjs → url-YWJbnRlf.mjs} +85 -1
  32. package/dist/tests/url.test.cjs +104 -1
  33. package/dist/tests/url.test.mjs +105 -2
  34. package/dist/url-BAdyyqAa.cjs +315 -0
  35. package/dist/url-BuxPHxK2.js +261 -0
  36. package/package.json +11 -1
  37. package/src/contexts/fep-7aa9.json +24 -0
  38. package/src/contexts.ts +2 -0
  39. package/src/docloader.test.ts +102 -6
  40. package/src/docloader.ts +76 -8
  41. package/src/internal/jsonld-cache.ts +538 -0
  42. package/src/jsonld-cache.test.ts +554 -0
  43. package/src/key.test.ts +86 -0
  44. package/src/key.ts +125 -0
  45. package/src/mod.ts +8 -0
  46. package/src/url.test.ts +252 -1
  47. package/src/url.ts +141 -0
  48. package/tsdown.config.ts +6 -1
@@ -0,0 +1,261 @@
1
+
2
+ import { lookup } from "node:dns/promises";
3
+ import { isIP } from "node:net";
4
+ //#region src/url.ts
5
+ var UrlError = class extends Error {
6
+ constructor(message) {
7
+ super(message);
8
+ this.name = "UrlError";
9
+ }
10
+ };
11
+ const PORTABLE_IRI_PATTERN = /^(ap|ap\+ef61):\/\/([^/?#]*)([^?#]*)(\?[^#]*)?(#.*)?$/i;
12
+ const INVALID_PERCENT_ENCODING_PATTERN = /%(?![0-9A-Fa-f]{2})/;
13
+ const DID_SCHEME_PATTERN = /^did:/i;
14
+ const DID_PATTERN = /^did:[a-z0-9]+:[-A-Za-z0-9._%]+(?::[-A-Za-z0-9._%]+)*$/i;
15
+ /**
16
+ * Parses a JSON-LD `@id` value as an IRI.
17
+ */
18
+ function parseJsonLdId(id, base) {
19
+ if (id == null || id.startsWith("_:")) return void 0;
20
+ try {
21
+ return parseIri(id, base);
22
+ } catch {
23
+ throw new TypeError("Invalid @id: " + id);
24
+ }
25
+ }
26
+ /**
27
+ * Parses an IRI as a URL, including FEP-ef61 portable ActivityPub IRIs.
28
+ */
29
+ function parseIri(iri, base) {
30
+ if (iri instanceof URL) return normalizePortableUrl(iri) ?? new URL(iri.href);
31
+ const portable = parsePortableIri(iri);
32
+ if (portable != null) return portable;
33
+ base = normalizeBaseIri(base);
34
+ if (!URL.canParse(iri, base) && iri.startsWith("at://")) return parseAtUri(iri);
35
+ const parsed = new URL(iri, base);
36
+ return normalizePortableUrl(parsed) ?? parsed;
37
+ }
38
+ /**
39
+ * Formats a URL as an IRI, including FEP-ef61 portable ActivityPub IRIs.
40
+ */
41
+ function formatIri(iri) {
42
+ const parsed = parsePortableIri(iri instanceof URL ? iri.href : iri);
43
+ if (parsed == null) return iri instanceof URL ? iri.href : URL.canParse(iri) ? new URL(iri).href : iri;
44
+ return `ap+ef61://${decodePortableAuthority(parsed.host)}${parsed.pathname}${parsed.search}${parsed.hash}`;
45
+ }
46
+ /**
47
+ * Checks whether two IRIs have the same origin.
48
+ */
49
+ function haveSameIriOrigin(left, right) {
50
+ return getComparableIriOrigin(left) === getComparableIriOrigin(right);
51
+ }
52
+ function getComparableIriOrigin(iri) {
53
+ iri = normalizePortableUrl(iri) ?? iri;
54
+ if (iri.origin !== "null") return iri.origin;
55
+ if (iri.host !== "") {
56
+ const host = iri.protocol === "ap+ef61:" ? encodeURIComponent(decodePortableAuthority(iri.host).replace(DID_SCHEME_PATTERN, "did:")) : iri.host;
57
+ return `${iri.protocol}//${host}`;
58
+ }
59
+ return iri.href;
60
+ }
61
+ function parsePortableIri(iri) {
62
+ const match = iri.match(PORTABLE_IRI_PATTERN);
63
+ if (match == null) return null;
64
+ const authority = decodePortableAuthority(match[2]);
65
+ if (!DID_PATTERN.test(authority)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
66
+ if (match[3] === "") throw new TypeError("Invalid portable ActivityPub IRI path.");
67
+ return new URL(`ap+ef61://${encodeURIComponent(authority)}${match[3]}${match[4] ?? ""}${match[5] ?? ""}`);
68
+ }
69
+ function normalizePortableUrl(iri) {
70
+ if (iri.protocol !== "ap:" && iri.protocol !== "ap+ef61:") return null;
71
+ return parsePortableIri(`ap+ef61://${iri.host}${iri.pathname}${iri.search}${iri.hash}`);
72
+ }
73
+ function normalizeBaseIri(base) {
74
+ if (base == null) return void 0;
75
+ if (base instanceof URL) return normalizePortableUrl(base) ?? base;
76
+ return parsePortableIri(base) ?? (base.startsWith("at://") && !URL.canParse(".", base) ? parseAtUri(base) : base);
77
+ }
78
+ function decodePortableAuthority(authority) {
79
+ if (INVALID_PERCENT_ENCODING_PATTERN.test(authority)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
80
+ if (DID_SCHEME_PATTERN.test(authority)) {
81
+ const decoded = authority.replace(/%25/gi, "%");
82
+ if (INVALID_PERCENT_ENCODING_PATTERN.test(decoded)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
83
+ return decoded;
84
+ }
85
+ const decoded = authority.replace(/%(25|3A)/gi, (match) => match.toLowerCase() === "%3a" ? ":" : "%");
86
+ if (INVALID_PERCENT_ENCODING_PATTERN.test(decoded)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
87
+ return decoded;
88
+ }
89
+ function parseAtUri(uri) {
90
+ const index = uri.indexOf("/", 5);
91
+ const authority = index >= 0 ? uri.slice(5, index) : uri.slice(5);
92
+ const path = index >= 0 ? uri.slice(index) : "";
93
+ return new URL("at://" + encodeURIComponent(authority) + path);
94
+ }
95
+ /**
96
+ * Validates a URL to prevent SSRF attacks.
97
+ */
98
+ async function validatePublicUrl(url) {
99
+ const parsed = new URL(url);
100
+ if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
101
+ let hostname = parsed.hostname;
102
+ if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.slice(1, -1);
103
+ if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
104
+ const hostnameFamily = isIP(hostname);
105
+ if (hostnameFamily !== 0) {
106
+ validatePublicIpAddress(hostname, hostnameFamily);
107
+ return;
108
+ }
109
+ if ("Deno" in globalThis && !isIP(hostname)) {
110
+ if ((await Deno.permissions.query({ name: "net" })).state !== "granted") return;
111
+ }
112
+ if ("Bun" in globalThis) {
113
+ if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
114
+ else if (hostname === "fedify-test.internal") throw new UrlError("Invalid or private address: fedify-test.internal");
115
+ }
116
+ let addresses;
117
+ try {
118
+ addresses = await lookup(hostname, { all: true });
119
+ } catch {
120
+ addresses = [];
121
+ }
122
+ for (const { address, family } of addresses) validatePublicIpAddress(address, family);
123
+ }
124
+ function validatePublicIpAddress(address, family) {
125
+ if (family === 4 && isValidPublicIPv4Address(address) || family === 6 && isValidPublicIPv6Address(address)) return;
126
+ throw new UrlError(`Invalid or private address: ${address}`);
127
+ }
128
+ function isValidPublicIPv4Address(address) {
129
+ const parts = parseIPv4Address(address);
130
+ if (parts == null) return false;
131
+ const value = ipv4PartsToNumber(parts);
132
+ return !nonPublicIPv4Prefixes.some(({ base, prefix }) => matchesIPv4Prefix(value, base, prefix));
133
+ }
134
+ function isValidPublicIPv6Address(address) {
135
+ const words = parseIPv6Address(address);
136
+ if (words == null) return false;
137
+ if (nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) => matchesIPv6Prefix(words, prefixWords, prefix))) return false;
138
+ for (const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes) {
139
+ if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
140
+ const ipv4Address = extractIPv4(words);
141
+ if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) return false;
142
+ }
143
+ return true;
144
+ }
145
+ function expandIPv6Address(address) {
146
+ address = address.toLowerCase();
147
+ const ipv4Delimiter = address.lastIndexOf(":");
148
+ if (address.includes(".") && ipv4Delimiter >= 0) {
149
+ const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
150
+ if (ipv4Parts == null) return address;
151
+ const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
152
+ const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
153
+ address = address.substring(0, ipv4Delimiter + 1) + high.toString(16) + ":" + low.toString(16);
154
+ }
155
+ if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
156
+ if (address.startsWith("::")) address = "0000" + address;
157
+ if (address.endsWith("::")) address = address + "0000";
158
+ address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
159
+ return address.split(":").map((part) => part.padStart(4, "0")).join(":");
160
+ }
161
+ const nonPublicIPv4Prefixes = [
162
+ ipv4Prefix("0.0.0.0/8", "RFC 6890"),
163
+ ipv4Prefix("10.0.0.0/8", "RFC 1918"),
164
+ ipv4Prefix("100.64.0.0/10", "RFC 6598"),
165
+ ipv4Prefix("127.0.0.0/8", "RFC 1122"),
166
+ ipv4Prefix("169.254.0.0/16", "RFC 3927"),
167
+ ipv4Prefix("172.16.0.0/12", "RFC 1918"),
168
+ ipv4Prefix("192.0.0.0/24", "RFC 6890"),
169
+ ipv4Prefix("192.0.2.0/24", "RFC 5737"),
170
+ ipv4Prefix("192.88.99.0/24", "RFC 7526"),
171
+ ipv4Prefix("192.168.0.0/16", "RFC 1918"),
172
+ ipv4Prefix("198.18.0.0/15", "RFC 2544"),
173
+ ipv4Prefix("198.51.100.0/24", "RFC 5737"),
174
+ ipv4Prefix("203.0.113.0/24", "RFC 5737"),
175
+ ipv4Prefix("224.0.0.0/4", "RFC 5771"),
176
+ ipv4Prefix("240.0.0.0/4", "RFC 1112")
177
+ ];
178
+ const nonPublicIPv6Prefixes = [
179
+ ipv6Prefix("::/16", "RFC 4291"),
180
+ ipv6Prefix("2001::/32", "RFC 4380"),
181
+ ipv6Prefix("2002::/16", "RFC 3056"),
182
+ ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
183
+ ipv6Prefix("fc00::/7", "RFC 4193"),
184
+ ipv6Prefix("fe80::/10", "RFC 4291"),
185
+ ipv6Prefix("ff00::/8", "RFC 4291")
186
+ ];
187
+ const ipv6WithIPv4Prefixes = [{
188
+ ...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
189
+ extractIPv4: (words) => ipv4FromWords(words[6], words[7])
190
+ }];
191
+ function ipv4Prefix(cidr, rfc) {
192
+ const [address, prefixText] = cidr.split("/");
193
+ const prefix = parseInt(prefixText, 10);
194
+ const parts = parseIPv4Address(address);
195
+ if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) throw new Error(`Invalid IPv4 prefix: ${cidr}`);
196
+ return {
197
+ cidr,
198
+ base: ipv4PartsToNumber(parts),
199
+ prefix,
200
+ rfc
201
+ };
202
+ }
203
+ function ipv6Prefix(cidr, rfc) {
204
+ const [address, prefixText] = cidr.split("/");
205
+ const prefix = parseInt(prefixText, 10);
206
+ const words = parseIPv6Address(address);
207
+ if (words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128) throw new Error(`Invalid IPv6 prefix: ${cidr}`);
208
+ return {
209
+ cidr,
210
+ words,
211
+ prefix,
212
+ rfc
213
+ };
214
+ }
215
+ function parseIPv4Address(address) {
216
+ const parts = address.split(".").map((part) => {
217
+ if (!/^\d+$/.test(part)) return NaN;
218
+ return parseInt(part, 10);
219
+ });
220
+ if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
221
+ return parts;
222
+ }
223
+ function parseIPv6Address(address) {
224
+ const parts = expandIPv6Address(address).split(":");
225
+ if (parts.length !== 8) return null;
226
+ const words = parts.map((part) => {
227
+ if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
228
+ return parseInt(part, 16);
229
+ });
230
+ if (words.some((word) => !Number.isInteger(word) || word < 0 || word > 65535)) return null;
231
+ return words;
232
+ }
233
+ function ipv4PartsToNumber(parts) {
234
+ return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 + parts[3];
235
+ }
236
+ function ipv4FromWords(highWord, lowWord) {
237
+ return [
238
+ highWord >> 8,
239
+ highWord & 255,
240
+ lowWord >> 8,
241
+ lowWord & 255
242
+ ].join(".");
243
+ }
244
+ function matchesIPv4Prefix(address, prefixBase, prefixLength) {
245
+ const blockSize = 2 ** (32 - prefixLength);
246
+ return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
247
+ }
248
+ function matchesIPv6Prefix(address, prefixWords, prefixLength) {
249
+ let remaining = prefixLength;
250
+ for (let i = 0; i < 8 && remaining > 0; i++) if (remaining >= 16) {
251
+ if (address[i] !== prefixWords[i]) return false;
252
+ remaining -= 16;
253
+ } else {
254
+ const mask = 65535 << 16 - remaining & 65535;
255
+ if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
256
+ remaining = 0;
257
+ }
258
+ return true;
259
+ }
260
+ //#endregion
261
+ export { isValidPublicIPv4Address as a, parseJsonLdId as c, haveSameIriOrigin as i, validatePublicUrl as l, expandIPv6Address as n, isValidPublicIPv6Address as o, formatIri as r, parseIri as s, UrlError as t };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fedify/vocab-runtime",
3
- "version": "2.4.0-dev.1570+f1b6aaa3",
3
+ "version": "2.4.0-dev.1571+31e2786b",
4
4
  "homepage": "https://fedify.dev/",
5
5
  "repository": {
6
6
  "type": "git",
@@ -42,6 +42,16 @@
42
42
  "require": "./dist/jsonld.cjs",
43
43
  "default": "./dist/jsonld.js"
44
44
  },
45
+ "./internal/jsonld-cache": {
46
+ "types": {
47
+ "import": "./dist/internal/jsonld-cache.d.ts",
48
+ "require": "./dist/internal/jsonld-cache.d.cts",
49
+ "default": "./dist/internal/jsonld-cache.d.ts"
50
+ },
51
+ "import": "./dist/internal/jsonld-cache.js",
52
+ "require": "./dist/internal/jsonld-cache.cjs",
53
+ "default": "./dist/internal/jsonld-cache.js"
54
+ },
45
55
  "./temporal": {
46
56
  "types": {
47
57
  "import": "./dist/temporal.d.ts",
@@ -0,0 +1,24 @@
1
+ {
2
+ "@context": {
3
+ "FeaturedCollection": "https://w3id.org/fep/7aa9#FeaturedCollection",
4
+ "FeaturedItem": "https://w3id.org/fep/7aa9#FeaturedItem",
5
+ "FeatureRequest": "https://w3id.org/fep/7aa9#FeatureRequest",
6
+ "FeatureAuthorization": "https://w3id.org/fep/7aa9#FeatureAuthorization",
7
+ "topic": {
8
+ "@id": "https://w3id.org/fep/7aa9#topic",
9
+ "@type": "@id"
10
+ },
11
+ "featuredObject": {
12
+ "@id": "https://w3id.org/fep/7aa9#featuredObject",
13
+ "@type": "@id"
14
+ },
15
+ "canFeature": {
16
+ "@id": "https://w3id.org/fep/7aa9#canFeature",
17
+ "@type": "@id"
18
+ },
19
+ "featureAuthorization": {
20
+ "@id": "https://w3id.org/fep/7aa9#featureAuthorization",
21
+ "@type": "@id"
22
+ }
23
+ }
24
+ }
package/src/contexts.ts CHANGED
@@ -7,6 +7,7 @@ import activitystreams from "./contexts/activitystreams.json" with {
7
7
  };
8
8
  import didV1 from "./contexts/did-v1.json" with { type: "json" };
9
9
  import fep5711 from "./contexts/fep-5711.json" with { type: "json" };
10
+ import fep7aa9 from "./contexts/fep-7aa9.json" with { type: "json" };
10
11
  import gotosocial from "./contexts/gotosocial.json" with { type: "json" };
11
12
  import identityV1 from "./contexts/identity-v1.json" with { type: "json" };
12
13
  import joinLemmyContext from "./contexts/join-lemmy.json" with { type: "json" };
@@ -35,6 +36,7 @@ const preloadedContexts: Record<string, unknown> = {
35
36
  "http://schema.org/": schemaorg,
36
37
  "https://gotosocial.org/ns": gotosocial,
37
38
  "https://w3id.org/fep/5711": fep5711,
39
+ "https://w3id.org/fep/7aa9": fep7aa9,
38
40
 
39
41
  // Lemmy's context document is served as application/json without the JSON-LD
40
42
  // context Link header. The default document loader treats that as a regular
@@ -2,7 +2,7 @@ import fetchMock from "fetch-mock";
2
2
  import { deepStrictEqual, ok, rejects } from "node:assert";
3
3
  import { test } from "node:test";
4
4
  import preloadedContexts from "./contexts.ts";
5
- import { getDocumentLoader } from "./docloader.ts";
5
+ import { getDocumentLoader, getRemoteDocument } from "./docloader.ts";
6
6
  import { FetchError } from "./request.ts";
7
7
  import { UrlError } from "./url.ts";
8
8
 
@@ -90,7 +90,7 @@ test("getDocumentLoader()", async (t) => {
90
90
  type: "Object",
91
91
  },
92
92
  headers: {
93
- "Content-Type": "text/html; charset=utf-8",
93
+ "Content-Type": "application/activity+json",
94
94
  Link: '<https://example.com/object>; rel="alternate"; ' +
95
95
  'type="application/ld+json; profile="https://www.w3.org/ns/activitystreams""',
96
96
  },
@@ -247,6 +247,44 @@ test("getDocumentLoader()", async (t) => {
247
247
  });
248
248
  });
249
249
 
250
+ fetchMock.get("https://example.com/html-no-alternate", {
251
+ body: `<!DOCTYPE html>
252
+ <html>
253
+ <head>
254
+ <title>Not an ActivityPub document</title>
255
+ </head>
256
+ <body>Not found</body>
257
+ </html>`,
258
+ headers: { "Content-Type": "text/html; charset=utf-8" },
259
+ });
260
+
261
+ await t.test("HTML without ActivityPub alternate link", async () => {
262
+ await rejects(
263
+ () => fetchDocumentLoader("https://example.com/html-no-alternate"),
264
+ (error) => {
265
+ ok(error instanceof FetchError);
266
+ ok(
267
+ error.message.includes(
268
+ "HTML document has no ActivityPub alternate link",
269
+ ),
270
+ );
271
+ ok(
272
+ error.message.includes("Content-Type: text/html; charset=utf-8"),
273
+ );
274
+ deepStrictEqual(
275
+ error.url,
276
+ new URL("https://example.com/html-no-alternate"),
277
+ );
278
+ ok(error.response != null);
279
+ deepStrictEqual(
280
+ error.response.headers.get("Content-Type"),
281
+ "text/html; charset=utf-8",
282
+ );
283
+ return true;
284
+ },
285
+ );
286
+ });
287
+
250
288
  fetchMock.get("https://example.com/wrong-content-type", {
251
289
  body: {
252
290
  "@context": "https://www.w3.org/ns/activitystreams",
@@ -257,7 +295,7 @@ test("getDocumentLoader()", async (t) => {
257
295
  headers: { "Content-Type": "text/html; charset=utf-8" },
258
296
  });
259
297
 
260
- await t.test("Wrong Content-Type", async () => {
298
+ await t.test("wrong Content-Type with JSON body", async () => {
261
299
  deepStrictEqual(
262
300
  await fetchDocumentLoader("https://example.com/wrong-content-type"),
263
301
  {
@@ -273,6 +311,64 @@ test("getDocumentLoader()", async (t) => {
273
311
  );
274
312
  });
275
313
 
314
+ fetchMock.get("https://example.com/large-html", {
315
+ body: "<!DOCTYPE html>",
316
+ headers: {
317
+ "Content-Length": String(1024 * 1024 + 1),
318
+ "Content-Type": "text/html; charset=utf-8",
319
+ },
320
+ });
321
+
322
+ await t.test("HTML Content-Length over limit", async () => {
323
+ await rejects(
324
+ () => fetchDocumentLoader("https://example.com/large-html"),
325
+ (error) => {
326
+ ok(error instanceof FetchError);
327
+ ok(
328
+ error.message.includes(
329
+ "HTML document is too large to scan for an ActivityPub alternate link",
330
+ ),
331
+ );
332
+ ok(error.response != null);
333
+ deepStrictEqual(error.response.status, 200);
334
+ deepStrictEqual(
335
+ error.response.headers.get("Content-Type"),
336
+ "text/html; charset=utf-8",
337
+ );
338
+ return true;
339
+ },
340
+ );
341
+ });
342
+
343
+ await t.test("HTML Content-Length over limit cancels body", async () => {
344
+ let canceled = false;
345
+ const response = new Response("<!DOCTYPE html>", {
346
+ headers: {
347
+ "Content-Length": String(1024 * 1024 + 1),
348
+ "Content-Type": "text/html; charset=utf-8",
349
+ },
350
+ });
351
+ Object.defineProperty(response, "body", {
352
+ value: {
353
+ cancel: () => {
354
+ canceled = true;
355
+ },
356
+ },
357
+ });
358
+ await rejects(
359
+ () =>
360
+ getRemoteDocument(
361
+ "https://example.com/large-html-cancel",
362
+ response,
363
+ () => {
364
+ throw new Error("unexpected alternate fetch");
365
+ },
366
+ ),
367
+ FetchError,
368
+ );
369
+ deepStrictEqual(canceled, true);
370
+ });
371
+
276
372
  fetchMock.get("https://example.com/404", { status: 404 });
277
373
 
278
374
  await t.test("not ok", async () => {
@@ -459,11 +555,11 @@ test("getDocumentLoader()", async (t) => {
459
555
 
460
556
  await t.test("ReDoS resistance (CVE-2025-68475)", async () => {
461
557
  const start = performance.now();
462
- // The malicious HTML will fail JSON parsing, but the important thing is
463
- // that it should complete quickly (not hang due to ReDoS)
558
+ // The malicious HTML will fail alternate discovery, but the important
559
+ // thing is that it should complete quickly (not hang due to ReDoS).
464
560
  await rejects(
465
561
  () => fetchDocumentLoader("https://example.com/redos"),
466
- SyntaxError,
562
+ FetchError,
467
563
  );
468
564
  const elapsed = performance.now() - start;
469
565
 
package/src/docloader.ts CHANGED
@@ -13,6 +13,7 @@ import { UrlError, validatePublicUrl } from "./url.ts";
13
13
 
14
14
  const logger = getLogger(["fedify", "runtime", "docloader"]);
15
15
  const DEFAULT_MAX_REDIRECTION = 20;
16
+ const MAX_HTML_SIZE = 1024 * 1024; // 1MB
16
17
 
17
18
  /**
18
19
  * A remote JSON-LD document and its context fetched by
@@ -112,6 +113,59 @@ export type AuthenticatedDocumentLoaderFactory = (
112
113
  options?: DocumentLoaderFactoryOptions,
113
114
  ) => DocumentLoader;
114
115
 
116
+ function createResponseMetadata(response: Response): Response {
117
+ return new Response(null, {
118
+ headers: response.headers,
119
+ status: response.status,
120
+ statusText: response.statusText,
121
+ });
122
+ }
123
+
124
+ async function cancelResponseBody(response: Response): Promise<void> {
125
+ if (response.body != null) {
126
+ await response.body.cancel();
127
+ }
128
+ }
129
+
130
+ async function readBoundedText(
131
+ response: Response,
132
+ maxBytes: number,
133
+ ): Promise<{ text: string; size: number; tooLarge: boolean }> {
134
+ const contentLength = response.headers.get("Content-Length");
135
+ if (contentLength != null) {
136
+ const size = Number(contentLength);
137
+ if (size > maxBytes) {
138
+ await cancelResponseBody(response);
139
+ return { text: "", size, tooLarge: true };
140
+ }
141
+ }
142
+
143
+ if (response.body == null) return { text: "", size: 0, tooLarge: false };
144
+
145
+ const reader = response.body.getReader();
146
+ const decoder = new TextDecoder();
147
+ let text = "";
148
+ let size = 0;
149
+ try {
150
+ while (true) {
151
+ const result = await reader.read();
152
+ if (result.done) break;
153
+ const chunkSize = result.value.byteLength;
154
+ if (size + chunkSize > maxBytes) {
155
+ size += chunkSize;
156
+ await reader.cancel();
157
+ return { text: "", size, tooLarge: true };
158
+ }
159
+ size += chunkSize;
160
+ text += decoder.decode(result.value, { stream: true });
161
+ }
162
+ text += decoder.decode();
163
+ return { text, size, tooLarge: false };
164
+ } finally {
165
+ reader.releaseLock();
166
+ }
167
+ }
168
+
115
169
  /**
116
170
  * Gets a {@link RemoteDocument} from the given response.
117
171
  * @param url The URL of the document to load.
@@ -200,15 +254,19 @@ export async function getRemoteDocument(
200
254
  contentType === "application/xhtml+xml" ||
201
255
  contentType?.startsWith("application/xhtml+xml;"))
202
256
  ) {
203
- // Security: Limit HTML response size to mitigate ReDoS attacks
204
- const MAX_HTML_SIZE = 1024 * 1024; // 1MB
205
- const html = await response.text();
206
- if (html.length > MAX_HTML_SIZE) {
257
+ const errorResponse = createResponseMetadata(response);
258
+ const html = await readBoundedText(response, MAX_HTML_SIZE);
259
+ if (html.tooLarge) {
207
260
  logger.warn(
208
261
  "HTML response too large, skipping alternate link discovery: {url}",
209
- { url: documentUrl, size: html.length },
262
+ { url: documentUrl, size: html.size },
263
+ );
264
+ throw new FetchError(
265
+ documentUrl,
266
+ `HTML document is too large to scan for an ActivityPub alternate link ` +
267
+ `(Content-Type: ${contentType})`,
268
+ errorResponse,
210
269
  );
211
- document = JSON.parse(html);
212
270
  } else {
213
271
  // Safe regex patterns without nested quantifiers to prevent ReDoS
214
272
  // (CVE-2025-68475)
@@ -219,7 +277,7 @@ export async function getRemoteDocument(
219
277
  /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
220
278
 
221
279
  let tagMatch: RegExpExecArray | null;
222
- while ((tagMatch = tagPattern.exec(html)) !== null) {
280
+ while ((tagMatch = tagPattern.exec(html.text)) !== null) {
223
281
  const tagContent = tagMatch[2];
224
282
  let attrMatch: RegExpExecArray | null;
225
283
  const attribs: Record<string, string> = {};
@@ -247,7 +305,17 @@ export async function getRemoteDocument(
247
305
  return await fetch(new URL(attribs.href, docUrl).href);
248
306
  }
249
307
  }
250
- document = JSON.parse(html);
308
+ try {
309
+ document = JSON.parse(html.text);
310
+ } catch (error) {
311
+ if (!(error instanceof SyntaxError)) throw error;
312
+ throw new FetchError(
313
+ documentUrl,
314
+ `HTML document has no ActivityPub alternate link ` +
315
+ `(Content-Type: ${contentType})`,
316
+ errorResponse,
317
+ );
318
+ }
251
319
  }
252
320
  } else {
253
321
  document = await response.json();