Unverified Commit c505eb82 authored by Hong Minhee's avatar Hong Minhee
Browse files

Make `lookupWebFinger()` to enforce protocol consistency

parent e921134d
Loading
Loading
Loading
Loading
+10 −3
Original line number Diff line number Diff line
@@ -8,9 +8,16 @@ Version 1.0.14

To be released.

 -  Fixed a security vulnerability where the `lookupWebFinger()` function had
    followed the infinite number of redirects, which could lead to a denial of
    service attack.  Now it follows up to 5 redirects.
 -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.

     -  Fixed a security vulnerability where the `lookupWebFinger()` function
        had followed the infinite number of redirects, which could lead to
        a denial of service attack.  Now it follows up to 5 redirects.

     -  Fixed a security vulnerability where the `lookupWebFinger()` function
        had followed the redirects to other than the HTTP/HTTPS schemes, which
        could lead to a security breach.  Now it follows only the same scheme
        as the original request.


Version 1.0.13
+13 −0
Original line number Diff line number Diff line
@@ -109,6 +109,19 @@ test("lookupWebFinger()", async (t) => {
    assertEquals(result, null);
  });

  mf.mock(
    "GET@/.well-known/webfinger",
    (_) =>
      new Response("", {
        status: 302,
        headers: { Location: "ftp://example.com/" },
      }),
  );

  await t.step("redirection to different protocol", async () => {
    assertEquals(await lookupWebFinger("acct:johndoe@example.com"), null);
  });

  mf.uninstall();
});

+12 −0
Original line number Diff line number Diff line
@@ -64,6 +64,18 @@ export async function lookupWebFinger(
        response.headers.get("Location")!,
        response.url == null || response.url === "" ? url : response.url,
      );
      if (redirectedUrl.protocol !== url.protocol) {
        logger.error(
          "Redirected to a different protocol ({protocol} to " +
            "{redirectedProtocol}) while fetching WebFinger resource " +
            "descriptor.",
          {
            protocol: url.protocol,
            redirectedProtocol: redirectedUrl.protocol,
          },
        );
        return null;
      }
      url = redirectedUrl;
      continue;
    }