Merge tag '0.12.3' into 0.13-maintenance (1eebc72e) · Commits · sc07 / Fedify Patched

CHANGES.md

+14 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,10 @@ Version 0.13.1

		To be released.

		- Fixed a vulnerability where the `getActorHandle()` function had trusted
		the hostname of WebFinger aliases that had not matched the hostname of the
		actor ID (URI).


		Version 0.13.0
		--------------
		@@ -83,6 +87,16 @@ Released on August 7, 2024.
		[Nitro]: https://nitro.unjs.io/


		Version 0.12.3
		--------------

		Released on August 18, 2024.

		- Fixed a vulnerability where the `getActorHandle()` function had trusted
		the hostname of WebFinger aliases that had not matched the hostname of the
		actor ID (URI).


		Version 0.12.2
		--------------

src/deno.json

+1 −1

Original line number	Diff line number	Diff line
		@@ -16,7 +16,7 @@
		"imports": {
		"@cfworker/json-schema": "npm:@cfworker/json-schema@^1.12.8",
		"@david/which-runtime": "jsr:@david/which-runtime@^0.2.0",
		"@deno/dnt": "jsr:@deno/dnt@^0.41.2",
		"@deno/dnt": "jsr:@deno/dnt@0.41.2",
		"@fedify/fedify": "./mod.ts",
		"@fedify/fedify/federation": "./federation/mod.ts",
		"@fedify/fedify/nodeinfo": "./nodeinfo/mod.ts",

src/vocab/actor.test.ts

+13 −10

Original line number	Diff line number	Diff line
		@@ -100,7 +100,7 @@ test("getActorHandle()", async (t) => {
		"GET@/.well-known/webfinger",
		(_) =>
		new Response(
		JSON.stringify({ subject: "acct:john@example.com" }),
		JSON.stringify({ subject: "acct:johndoe@foo.example.com" }),
		{ headers: { "Content-Type": "application/jrd+json" } },
		),
		);
		@@ -112,15 +112,15 @@ test("getActorHandle()", async (t) => {
		});

		await t.step("WebFinger subject", async () => {
		assertEquals(await getActorHandle(actor), "@john@example.com");
		assertEquals(await getActorHandle(actor), "@johndoe@foo.example.com");
		assertEquals(
		await getActorHandle(actor, { trimLeadingAt: true }),
		"john@example.com",
		"johndoe@foo.example.com",
		);
		assertEquals(await getActorHandle(actorId), "@john@example.com");
		assertEquals(await getActorHandle(actorId), "@johndoe@foo.example.com");
		assertEquals(
		await getActorHandle(actorId, { trimLeadingAt: true }),
		"john@example.com",
		"johndoe@foo.example.com",
		);
		});

		@@ -130,22 +130,25 @@ test("getActorHandle()", async (t) => {
		new Response(
		JSON.stringify({
		subject: "https://foo.example.com/@john",
		aliases: ["acct:john@bar.example.com"],
		aliases: [
		"acct:john@bar.example.com",
		"acct:johndoe@foo.example.com",
		],
		}),
		{ headers: { "Content-Type": "application/jrd+json" } },
		),
		);

		await t.step("WebFinger aliases", async () => {
		assertEquals(await getActorHandle(actor), "@john@bar.example.com");
		assertEquals(await getActorHandle(actor), "@johndoe@foo.example.com");
		assertEquals(
		await getActorHandle(actor, { trimLeadingAt: true }),
		"john@bar.example.com",
		"johndoe@foo.example.com",
		);
		assertEquals(await getActorHandle(actorId), "@john@bar.example.com");
		assertEquals(await getActorHandle(actorId), "@johndoe@foo.example.com");
		assertEquals(
		await getActorHandle(actorId, { trimLeadingAt: true }),
		"john@bar.example.com",
		"johndoe@foo.example.com",
		);
		});

src/vocab/actor.ts

+2 −0

Original line number	Diff line number	Diff line
		@@ -114,6 +114,8 @@ export async function getActorHandle(
		for (const alias of aliases) {
		const match = alias.match(/^acct:([^@]+)@([^@]+)$/);
		if (match != null) {
		const hostname = new URL(`https://${match[2]}/`).hostname;
		if (hostname !== actorId.hostname) continue;
		return normalizeActorHandle(`@${match[1]}@${match[2]}`, options);
		}
		}