Merge tag '0.11.2'

Fedify 0.11.2
fedify-dev · Jul 9, 2024 · 410cc77 · 410cc77
2 parents 8699f21 + d9cf85e
commit 410cc77
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 7 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -99,6 +99,21 @@ To be released.
 [#92]: https://github.com/dahlia/fedify/pull/92
 
 
+Version 0.11.2
+--------------
+
+Released on July 9, 2024.
+
+ -  Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
+    loader.  [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        domain name has any records referring to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given domain name has any records
+        referring to a private network address.
+
+
 Version 0.11.1
 --------------
 
@@ -297,6 +312,21 @@ Released on June 29, 2024.
 [#80]: https://github.com/dahlia/fedify/pull/80
 
 
+Version 0.10.2
+--------------
+
+Released on July 9, 2024.
+
+ -  Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
+    loader.  [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        domain name has any records referring to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given domain name has any records
+        referring to a private network address.
+
+
 Version 0.10.1
 --------------
 
@@ -473,6 +503,21 @@ is now distributed under the [MIT License] to encourage wider adoption.
 [x-forwarded-fetch]: https://github.com/dahlia/x-forwarded-fetch
 
 
+Version 0.9.3
+-------------
+
+Released on July 9, 2024.
+
+ -  Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
+    loader.  [[CVE-2024-39687]]
+
+     -  The `fetchDocumentLoader()` function now throws an error when the given
+        domain name has any records referring to a private network address.
+     -  The `getAuthenticatedDocumentLoader()` function now returns a document
+        loader that throws an error when the given domain name has any records
+        referring to a private network address.
+
+
 Version 0.9.2
 -------------
 

diff --git a/runtime/url.ts b/runtime/url.ts
@@ -30,13 +30,17 @@ export async function validatePublicUrl(url: string): Promise<void> {
     const netPermission = await Deno.permissions.query({ name: "net" });
     if (netPermission.state !== "granted") return;
   }
-  const { address, family } = await lookup(hostname);
-  if (
-    family === 4 && !isValidPublicIPv4Address(address) ||
-    family === 6 && !isValidPublicIPv6Address(address) ||
-    family < 4 || family === 5 || family > 6
-  ) {
-    throw new UrlError(`Invalid or private address: ${address}`);
+  // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
+  // and ensure that they are all public:
+  const addresses = await lookup(hostname, { all: true });
+  for (const { address, family } of addresses) {
+    if (
+      family === 4 && !isValidPublicIPv4Address(address) ||
+      family === 6 && !isValidPublicIPv6Address(address) ||
+      family < 4 || family === 5 || family > 6
+    ) {
+      throw new UrlError(`Invalid or private address: ${address}`);
+    }
   }
 }