Loading CHANGES.md +10 −3 Original line number Diff line number Diff line Loading @@ -8,9 +8,16 @@ Version 1.0.14 To be released. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request. Version 1.0.13 Loading src/webfinger/lookup.test.ts +13 −0 Original line number Diff line number Diff line Loading @@ -109,6 +109,19 @@ test("lookupWebFinger()", async (t) => { assertEquals(result, null); }); mf.mock( "GET@/.well-known/webfinger", (_) => new Response("", { status: 302, headers: { Location: "ftp://example.com/" }, }), ); await t.step("redirection to different protocol", async () => { assertEquals(await lookupWebFinger("acct:johndoe@example.com"), null); }); mf.uninstall(); }); Loading src/webfinger/lookup.ts +12 −0 Original line number Diff line number Diff line Loading @@ -64,6 +64,18 @@ export async function lookupWebFinger( response.headers.get("Location")!, response.url == null || response.url === "" ? url : response.url, ); if (redirectedUrl.protocol !== url.protocol) { logger.error( "Redirected to a different protocol ({protocol} to " + "{redirectedProtocol}) while fetching WebFinger resource " + "descriptor.", { protocol: url.protocol, redirectedProtocol: redirectedUrl.protocol, }, ); return null; } url = redirectedUrl; continue; } Loading Loading
CHANGES.md +10 −3 Original line number Diff line number Diff line Loading @@ -8,9 +8,16 @@ Version 1.0.14 To be released. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects. - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request. Version 1.0.13 Loading
src/webfinger/lookup.test.ts +13 −0 Original line number Diff line number Diff line Loading @@ -109,6 +109,19 @@ test("lookupWebFinger()", async (t) => { assertEquals(result, null); }); mf.mock( "GET@/.well-known/webfinger", (_) => new Response("", { status: 302, headers: { Location: "ftp://example.com/" }, }), ); await t.step("redirection to different protocol", async () => { assertEquals(await lookupWebFinger("acct:johndoe@example.com"), null); }); mf.uninstall(); }); Loading
src/webfinger/lookup.ts +12 −0 Original line number Diff line number Diff line Loading @@ -64,6 +64,18 @@ export async function lookupWebFinger( response.headers.get("Location")!, response.url == null || response.url === "" ? url : response.url, ); if (redirectedUrl.protocol !== url.protocol) { logger.error( "Redirected to a different protocol ({protocol} to " + "{redirectedProtocol}) while fetching WebFinger resource " + "descriptor.", { protocol: url.protocol, redirectedProtocol: redirectedUrl.protocol, }, ); return null; } url = redirectedUrl; continue; } Loading
