Loading CHANGES.md +5 −0 Original line number Diff line number Diff line Loading @@ -19,6 +19,11 @@ To be released. could lead to a security breach. Now it follows only the same scheme as the original request. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses. Version 1.0.13 -------------- Loading src/webfinger/lookup.test.ts +18 −1 Original line number Diff line number Diff line import { assertEquals } from "@std/assert"; import { assertEquals, assertRejects } from "@std/assert"; import { deadline } from "@std/async/deadline"; import * as mf from "mock_fetch"; import { UrlError } from "../runtime/url.ts"; import { test } from "../testing/mod.ts"; import type { ResourceDescriptor } from "./jrd.ts"; import { lookupWebFinger } from "./lookup.ts"; Loading Loading @@ -122,6 +123,22 @@ test("lookupWebFinger()", async (t) => { assertEquals(await lookupWebFinger("acct:johndoe@example.com"), null); }); mf.mock( "GET@/.well-known/webfinger", (_) => new Response("", { status: 302, headers: { Location: "https://localhost/" }, }), ); await t.step("redirection to private address", async () => { await assertRejects( () => lookupWebFinger("acct:johndoe@example.com"), UrlError, ); }); mf.uninstall(); }); Loading src/webfinger/lookup.ts +2 −0 Original line number Diff line number Diff line import { getLogger } from "@logtape/logtape"; import { validatePublicUrl } from "../runtime/url.ts"; import type { ResourceDescriptor } from "./jrd.ts"; const logger = getLogger(["fedify", "webfinger", "lookup"]); Loading Loading @@ -35,6 +36,7 @@ export async function lookupWebFinger( { url: url.href }, ); let response: Response; await validatePublicUrl(url.href); try { response = await fetch(url, { headers: { Accept: "application/jrd+json" }, Loading Loading
CHANGES.md +5 −0 Original line number Diff line number Diff line Loading @@ -19,6 +19,11 @@ To be released. could lead to a security breach. Now it follows only the same scheme as the original request. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses. Version 1.0.13 -------------- Loading
src/webfinger/lookup.test.ts +18 −1 Original line number Diff line number Diff line import { assertEquals } from "@std/assert"; import { assertEquals, assertRejects } from "@std/assert"; import { deadline } from "@std/async/deadline"; import * as mf from "mock_fetch"; import { UrlError } from "../runtime/url.ts"; import { test } from "../testing/mod.ts"; import type { ResourceDescriptor } from "./jrd.ts"; import { lookupWebFinger } from "./lookup.ts"; Loading Loading @@ -122,6 +123,22 @@ test("lookupWebFinger()", async (t) => { assertEquals(await lookupWebFinger("acct:johndoe@example.com"), null); }); mf.mock( "GET@/.well-known/webfinger", (_) => new Response("", { status: 302, headers: { Location: "https://localhost/" }, }), ); await t.step("redirection to private address", async () => { await assertRejects( () => lookupWebFinger("acct:johndoe@example.com"), UrlError, ); }); mf.uninstall(); }); Loading
src/webfinger/lookup.ts +2 −0 Original line number Diff line number Diff line import { getLogger } from "@logtape/logtape"; import { validatePublicUrl } from "../runtime/url.ts"; import type { ResourceDescriptor } from "./jrd.ts"; const logger = getLogger(["fedify", "webfinger", "lookup"]); Loading Loading @@ -35,6 +36,7 @@ export async function lookupWebFinger( { url: url.href }, ); let response: Response; await validatePublicUrl(url.href); try { response = await fetch(url, { headers: { Accept: "application/jrd+json" }, Loading
