From b03c209db7cc0bc92b3585204dd0ec5b781305df Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Fri, 5 Jul 2024 11:06:35 +0900 Subject: [PATCH 1/7] Version bump [ci skip] --- CHANGES.md | 6 ++++++ cli/deno.json | 2 +- deno.json | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 72bd75f6..bd0ac79f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,6 +3,12 @@ Fedify changelog ================ +Version 0.9.3 +------------- + +To be released. + + Version 0.9.2 ------------- diff --git a/cli/deno.json b/cli/deno.json index f128a938..1b979511 100644 --- a/cli/deno.json +++ b/cli/deno.json @@ -1,6 +1,6 @@ { "name": "@fedify/cli", - "version": "0.9.2", + "version": "0.9.3", "exports": "./mod.ts", "importMap": "import_map.g.json", "compilerOptions": { diff --git a/deno.json b/deno.json index b1b2e824..9ae60d8c 100644 --- a/deno.json +++ b/deno.json @@ -1,6 +1,6 @@ { "name": "@fedify/fedify", - "version": "0.9.2", + "version": "0.9.3", "exports": { ".": "./mod.ts", "./federation": "./federation/mod.ts", From dd43d0c6164ef92c78f6c38ba683f459e005eea6 Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Fri, 5 Jul 2024 11:22:38 +0900 Subject: [PATCH 2/7] Version bump [ci skip] --- CHANGES.md | 6 ++++++ cli/deno.json | 2 +- deno.json | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 163b36d1..ee7a9220 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,6 +3,12 @@ Fedify changelog ================ +Version 0.10.2 +-------------- + +To be released. + + Version 0.10.1 -------------- diff --git a/cli/deno.json b/cli/deno.json index 17aecc4c..0be56fea 100644 --- a/cli/deno.json +++ b/cli/deno.json @@ -1,6 +1,6 @@ { "name": "@fedify/cli", - "version": "0.10.1", + "version": "0.10.2", "exports": "./mod.ts", "importMap": "import_map.g.json", "compilerOptions": { diff --git a/deno.json b/deno.json index 8dc8da2d..0e81126a 100644 --- a/deno.json +++ b/deno.json @@ -1,6 +1,6 @@ { "name": "@fedify/fedify", - "version": "0.10.1", + "version": "0.10.2", "exports": { ".": "./mod.ts", "./federation": "./federation/mod.ts", From 893acd60cea27dd5ff08a401416b98cd3b960806 Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Fri, 5 Jul 2024 11:29:29 +0900 Subject: [PATCH 3/7] Version bump [ci skip] --- CHANGES.md | 6 ++++++ cli/deno.json | 2 +- deno.json | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e1497132..3c9bab14 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,6 +3,12 @@ Fedify changelog ================ +Version 0.11.2 +-------------- + +To be released. + + Version 0.11.1 -------------- diff --git a/cli/deno.json b/cli/deno.json index 96b21110..b39cfbb0 100644 --- a/cli/deno.json +++ b/cli/deno.json @@ -1,6 +1,6 @@ { "name": "@fedify/cli", - "version": "0.11.1", + "version": "0.11.2", "exports": "./mod.ts", "importMap": "import_map.g.json", "compilerOptions": { diff --git a/deno.json b/deno.json index addd37ea..c6284d06 100644 --- a/deno.json +++ b/deno.json @@ -1,6 +1,6 @@ { "name": "@fedify/fedify", - "version": "0.11.1", + "version": "0.11.2", "exports": { ".": "./mod.ts", "./federation": "./federation/mod.ts", From 5faafd10ac8e8d0b39173972b93e070f07f981f4 Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Tue, 9 Jul 2024 15:07:04 +0900 Subject: [PATCH 4/7] Fix SSRF via DNS rebinding https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx --- CHANGES.md | 9 +++++++++ runtime/url.ts | 18 +++++++++++------- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index bd0ac79f..a9f08a22 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -8,6 +8,15 @@ Version 0.9.3 To be released. + - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document + loader. [[CVE-2024-39687]] + + - The `fetchDocumentLoader()` function now throws an error when the given + domain name has any records referring to a private network address. + - The `getAuthenticatedDocumentLoader()` function now returns a document + loader that throws an error when the given domain name has any records + referring to a private network address. + Version 0.9.2 ------------- diff --git a/runtime/url.ts b/runtime/url.ts index edc64b4b..81bad9b1 100644 --- a/runtime/url.ts +++ b/runtime/url.ts @@ -30,13 +30,17 @@ export async function validatePublicUrl(url: string): Promise { const netPermission = await Deno.permissions.query({ name: "net" }); if (netPermission.state !== "granted") return; } - const { address, family } = await lookup(hostname); - if ( - family === 4 && !isValidPublicIPv4Address(address) || - family === 6 && !isValidPublicIPv6Address(address) || - family < 4 || family === 5 || family > 6 - ) { - throw new UrlError(`Invalid or private address: ${address}`); + // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses + // and ensure that they are all public: + const addresses = await lookup(hostname, { all: true }); + for (const { address, family } of addresses) { + if ( + family === 4 && !isValidPublicIPv4Address(address) || + family === 6 && !isValidPublicIPv6Address(address) || + family < 4 || family === 5 || family > 6 + ) { + throw new UrlError(`Invalid or private address: ${address}`); + } } } From 7600281a13aefc5630c5695d48c0cabff88e270f Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Tue, 9 Jul 2024 15:07:41 +0900 Subject: [PATCH 5/7] Release 0.9.3 --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index a9f08a22..be17f8da 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,7 +6,7 @@ Fedify changelog Version 0.9.3 ------------- -To be released. +Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] From 212948814142bedbeb0521b4709efa2a4accb012 Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Tue, 9 Jul 2024 15:11:11 +0900 Subject: [PATCH 6/7] Release 0.10.2 --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index bb1b4caa..65af6e83 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,7 +6,7 @@ Fedify changelog Version 0.10.2 -------------- -To be released. +Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]] From d9cf85ed7e85e256895ca95be7a3950d377903d2 Mon Sep 17 00:00:00 2001 From: Hong Minhee Date: Tue, 9 Jul 2024 15:18:22 +0900 Subject: [PATCH 7/7] Release 0.11.2 --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index ed3ce20e..8d20684a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,7 +6,7 @@ Fedify changelog Version 0.11.2 -------------- -To be released. +Released on July 9, 2024. - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document loader. [[CVE-2024-39687]]