Merge tag '0.15.5' into 1.0-maintenance (405c9d1e) · Commits · sc07 / Fedify Patched

CHANGES.md

+14 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,10 @@ Version 1.0.7

		To be released.

		- Fixed a bug where `fetchDocumentLoader()` function had disallowed
		redirecting to a private network address when the second parameter,
		a `boolean` value to allow private network addresses, was `true`.


		Version 1.0.6
		-------------
		@@ -248,6 +252,16 @@ Released on September 26, 2024.
		[#137]: https://github.com/dahlia/fedify/issues/137


		Version 0.15.5
		--------------

		Released on October 30, 2024.

		- Fixed a bug where `fetchDocumentLoader()` function had disallowed
		redirecting to a private network address when the second parameter,
		a `boolean` value to allow private network addresses, was `true`.


		Version 0.15.4
		--------------

src/runtime/docloader.test.ts

+59 −4

Original line number	Diff line number	Diff line
		@@ -217,8 +217,6 @@ test("fetchDocumentLoader()", async (t) => {
		);
		});

		mf.uninstall();

		await t.step("preloaded contexts", async () => {
		for (const [url, document] of Object.entries(preloadedContexts)) {
		assertEquals(await fetchDocumentLoader(url), {
		@@ -236,12 +234,69 @@ test("fetchDocumentLoader()", async (t) => {
		);
		});

		await t.step("deny private network", async () => {
		mf.mock(
		"GET@/localhost-redirect",
		(_req) => Response.redirect("https://localhost/object", 302),
		);

		mf.mock("GET@/localhost-link", (_req) =>
		new Response(
		`<html>
		<head>
		<meta charset=utf-8>
		<link
		rel=alternate
		type='application/activity+json'
		href="https://localhost/object">
		</head>
		</html>`,
		{
		status: 200,
		headers: { "Content-Type": "text/html; charset=utf-8" },
		},
		));

		await t.step("allowPrivateAddress: false", async () => {
		await assertRejects(
		() => fetchDocumentLoader("https://localhost"),
		() => fetchDocumentLoader("https://localhost/object"),
		UrlError,
		);
		await assertRejects(
		() => fetchDocumentLoader("https://example.com/localhost-redirect"),
		UrlError,
		);
		await assertRejects(
		() => fetchDocumentLoader("https://example.com/localhost-link"),
		UrlError,
		);
		});

		await t.step("allowPrivateAddress: true", async () => {
		const expected = {
		contextUrl: null,
		documentUrl: "https://localhost/object",
		document: {
		"@context": "https://www.w3.org/ns/activitystreams",
		id: "https://example.com/object",
		name: "Fetched object",
		type: "Object",
		},
		};
		assertEquals(
		await fetchDocumentLoader("https://localhost/object", true),
		expected,
		);
		assertEquals(
		await fetchDocumentLoader("https://example.com/localhost-redirect", true),
		expected,
		);
		assertEquals(
		await fetchDocumentLoader("https://example.com/localhost-link", true),
		expected,
		);
		});

		mf.uninstall();
		});

		test("getAuthenticatedDocumentLoader()", async (t) => {

src/runtime/docloader.ts

+4 −1

Original line number	Diff line number	Diff line
		@@ -251,7 +251,10 @@ export async function fetchDocumentLoader(
		response.status >= 300 && response.status < 400 &&
		response.headers.has("Location")
		) {
		return fetchDocumentLoader(response.headers.get("Location")!);
		return fetchDocumentLoader(
		response.headers.get("Location")!,
		allowPrivateAddress,
		);
		}
		return getRemoteDocument(
		url,