Loading CHANGES.md +45 −0 Original line number Diff line number Diff line Loading @@ -99,6 +99,21 @@ To be released. [#92]: https://github.com/dahlia/fedify/pull/92 Version 0.11.2 -------------- Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] - The `fetchDocumentLoader()` function now throws an error when the given domain name has any records referring to a private network address. - The `getAuthenticatedDocumentLoader()` function now returns a document loader that throws an error when the given domain name has any records referring to a private network address. Version 0.11.1 -------------- Loading Loading @@ -297,6 +312,21 @@ Released on June 29, 2024. [#80]: https://github.com/dahlia/fedify/pull/80 Version 0.10.2 -------------- Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] - The `fetchDocumentLoader()` function now throws an error when the given domain name has any records referring to a private network address. - The `getAuthenticatedDocumentLoader()` function now returns a document loader that throws an error when the given domain name has any records referring to a private network address. Version 0.10.1 -------------- Loading Loading @@ -473,6 +503,21 @@ is now distributed under the [MIT License] to encourage wider adoption. [x-forwarded-fetch]: https://github.com/dahlia/x-forwarded-fetch Version 0.9.3 ------------- Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] - The `fetchDocumentLoader()` function now throws an error when the given domain name has any records referring to a private network address. - The `getAuthenticatedDocumentLoader()` function now returns a document loader that throws an error when the given domain name has any records referring to a private network address. Version 0.9.2 ------------- Loading runtime/url.ts +11 −7 Original line number Diff line number Diff line Loading @@ -30,7 +30,10 @@ export async function validatePublicUrl(url: string): Promise<void> { const netPermission = await Deno.permissions.query({ name: "net" }); if (netPermission.state !== "granted") return; } const { address, family } = await lookup(hostname); // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses // and ensure that they are all public: const addresses = await lookup(hostname, { all: true }); for (const { address, family } of addresses) { if ( family === 4 && !isValidPublicIPv4Address(address) || family === 6 && !isValidPublicIPv6Address(address) || Loading @@ -39,6 +42,7 @@ export async function validatePublicUrl(url: string): Promise<void> { throw new UrlError(`Invalid or private address: ${address}`); } } } export function isValidPublicIPv4Address(address: string): boolean { const parts = address.split("."); Loading Loading
CHANGES.md +45 −0 Original line number Diff line number Diff line Loading @@ -99,6 +99,21 @@ To be released. [#92]: https://github.com/dahlia/fedify/pull/92 Version 0.11.2 -------------- Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] - The `fetchDocumentLoader()` function now throws an error when the given domain name has any records referring to a private network address. - The `getAuthenticatedDocumentLoader()` function now returns a document loader that throws an error when the given domain name has any records referring to a private network address. Version 0.11.1 -------------- Loading Loading @@ -297,6 +312,21 @@ Released on June 29, 2024. [#80]: https://github.com/dahlia/fedify/pull/80 Version 0.10.2 -------------- Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] - The `fetchDocumentLoader()` function now throws an error when the given domain name has any records referring to a private network address. - The `getAuthenticatedDocumentLoader()` function now returns a document loader that throws an error when the given domain name has any records referring to a private network address. Version 0.10.1 -------------- Loading Loading @@ -473,6 +503,21 @@ is now distributed under the [MIT License] to encourage wider adoption. [x-forwarded-fetch]: https://github.com/dahlia/x-forwarded-fetch Version 0.9.3 ------------- Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] - The `fetchDocumentLoader()` function now throws an error when the given domain name has any records referring to a private network address. - The `getAuthenticatedDocumentLoader()` function now returns a document loader that throws an error when the given domain name has any records referring to a private network address. Version 0.9.2 ------------- Loading
runtime/url.ts +11 −7 Original line number Diff line number Diff line Loading @@ -30,7 +30,10 @@ export async function validatePublicUrl(url: string): Promise<void> { const netPermission = await Deno.permissions.query({ name: "net" }); if (netPermission.state !== "granted") return; } const { address, family } = await lookup(hostname); // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses // and ensure that they are all public: const addresses = await lookup(hostname, { all: true }); for (const { address, family } of addresses) { if ( family === 4 && !isValidPublicIPv4Address(address) || family === 6 && !isValidPublicIPv6Address(address) || Loading @@ -39,6 +42,7 @@ export async function validatePublicUrl(url: string): Promise<void> { throw new UrlError(`Invalid or private address: ${address}`); } } } export function isValidPublicIPv4Address(address: string): boolean { const parts = address.split("."); Loading
