#WebFinger

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.

let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
  const successor = await actor.getSuccessor();
  if (successor == null) break;
  actor = successor;
}
// actor now holds the latest account after moves

This is readily available in handlers where the Context object is provided (like actor dispatchers or inbox listeners).

Focus on your app's logic, not protocol boilerplate!

Learn more: https://fedify.dev/manual/context#looking-up-remote-objects

Fedify: an ActivityPub server framework

@fedify@hollo.social

Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
#WebFinger client and server
HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
Middleware for handling webhooks
#NodeInfo protocol
#Node.js, #Deno, and #Bun support
CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

Marcus Rohrmoser 🌻

@mro@digitalcourage.social

⁂ Create #fediverse / #webfinger interact #bookmarklets wit a #CGI / #RFC3875.
https://codeberg.org/mro/bookmarklet-interact
Sample #deployment and #soucecode.

Enjoy!
¹ https://mro.name/b4fzzac

Marcus Rohrmoser 🌻

@mro@digitalcourage.social

⁂ Create #fediverse / #webfinger interact #bookmarklets wit a #CGI / #RFC3875.
https://codeberg.org/mro/bookmarklet-interact
Sample #deployment and #soucecode.

Enjoy!
¹ https://mro.name/b4fzzac

Fedify: an ActivityPub server framework

@fedify@hollo.social

The key features it provides currently are:

Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
#WebFinger client and server
HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
Middleware for handling webhooks
#NodeInfo protocol
#Node.js, #Deno, and #Bun support
CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

Fedify: an ActivityPub server framework

@fedify@hollo.social

The key features it provides currently are:

Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
#WebFinger client and server
HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
Middleware for handling webhooks
#NodeInfo protocol
#Node.js, #Deno, and #Bun support
CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

Maho Pacheco 🦝🍻

@mapache@hachyderm.io

A Guide to Implementing ActivityPub in a Static Site (or Any Website) - Part 8 is out!

Follow the site here @blog or check the article here: https://maho.dev/2025/01/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-8/

#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http #azure #azurefunctions

Maho Pacheco 🦝🍻

@mapache@hachyderm.io

A Guide to Implementing ActivityPub in a Static Site (or Any Website) - Part 8 is out!

Follow the site here @blog or check the article here: https://maho.dev/2025/01/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-8/

#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http #azure #azurefunctions

Maho Pacheco 🦝🍻

@mapache@hachyderm.io

A Guide to Implementing ActivityPub in a Static Site (or Any Website) - Part 8 is out!

Follow the site here @blog or check the article here: https://maho.dev/2025/01/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-8/

#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http #azure #azurefunctions

Maho Pacheco 🦝🍻

@mapache@hachyderm.io

A Guide to Implementing ActivityPub in a Static Site (or Any Website) - Part 8 is out!

Follow the site here @blog or check the article here: https://maho.dev/2025/01/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-8/

#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http #azure #azurefunctions

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

FedifyのWebFinger実装における脆弱性CVE-2025-23221に対するセキュリティアップデート（1.0.14、1.1.11、1.2.11、1.3.4）をリリースいたしました。すべてのユーザー様におかれましては、お使いのバージョンに応じた最新版への速やかなアップデートを推奨いたします。

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

1.3.xシリーズ：1.3.4へアップデート
1.2.xシリーズ：1.2.11へアップデート
1.1.xシリーズ：1.1.11へアップデート
1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

1.3.xシリーズ：1.3.4へアップデート
1.2.xシリーズ：1.2.11へアップデート
1.1.xシリーズ：1.1.11へアップデート
1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

1.3.xシリーズ：1.3.4へアップデート
1.2.xシリーズ：1.2.11へアップデート
1.1.xシリーズ：1.1.11へアップデート
1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released #security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

1.3.xシリーズ：1.3.4へアップデート
1.2.xシリーズ：1.2.11へアップデート
1.1.xシリーズ：1.1.11へアップデート
1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

1.3.xシリーズ：1.3.4へアップデート
1.2.xシリーズ：1.2.11へアップデート
1.1.xシリーズ：1.1.11へアップデート
1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

#Fedify 프레임워크의 #WebFinger 구현에서 발견된 보안 취약점 CVE-2025-23221을 해결하기 위한 보안 업데이트(1.0.14, 1.1.11, 1.2.11, 1.3.4)를 배포했습니다. 모든 사용자께서는 각자 사용 중인 버전에 해당하는 최신 버전으로 즉시 업데이트하시기를 권장합니다.

취약점 내용

보안 연구자가 Fedify의 lookupWebFinger() 함수에서 다음과 같은 보안 문제점들을 발견했습니다:

무한 리다이렉트 루프를 통한 서비스 거부 공격 가능
내부 네트워크 주소로의 리다이렉트를 통한 SSRF (서버측 요청 위조) 공격 가능
리다이렉트 조작을 통한 의도하지 않은 URL 스킴 접근 가능

수정된 버전

1.3.x 시리즈: 1.3.4로 업데이트
1.2.x 시리즈: 1.2.11로 업데이트
1.1.x 시리즈: 1.1.11로 업데이트
1.0.x 시리즈: 1.0.14로 업데이트

변경 사항

이번 보안 업데이트에는 다음과 같은 수정 사항이 포함되어 있습니다:

무한 리다이렉트 루프를 방지하기 위해 최대 리다이렉트 횟수 제한(5회) 도입
원래 요청과 동일한 스킴(HTTP/HTTPS)으로만 리다이렉트 허용하도록 제한
SSRF 공격 방지를 위해 내부 네트워크 주소로의 리다이렉트 차단

업데이트 방법

다음 명령어로 최신 보안 버전으로 업데이트하실 수 있습니다:

# npm 사용자의 경우
npm update @fedify/fedify

# Deno 사용자의 경우
deno add jsr:@fedify/fedify

이 취약점을 책임감 있게 보고해 주신 보안 연구자께 감사드립니다. 덕분에 신속하게 문제를 해결할 수 있었습니다.

이 취약점에 대한 자세한 내용은 보안 권고문을 참고해 주시기 바랍니다.

문의 사항이나 우려 사항이 있으시다면 GitHub Discussions나 Matrix 채팅방, 또는 Discord 서버를 통해 언제든 연락해 주시기 바랍니다.

#보안 #보안패치 #취약점 #SSRF

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

脆弱性の詳細

セキュリティ研究者により、FedifyのlookupWebFinger()関数において以下のセキュリティ上の問題が発見されました：

無限リダイレクトループによるサービス拒否攻撃（DoS）の可能性
プライベートネットワークアドレスへのリダイレクトを利用したSSRF（サーバーサイドリクエストフォージェリ）攻撃の可能性
リダイレクト操作による意図しないURLスキームへのアクセスの可能性

修正されたバージョン

1.3.xシリーズ：1.3.4へアップデート
1.2.xシリーズ：1.2.11へアップデート
1.1.xシリーズ：1.1.11へアップデート
1.0.xシリーズ：1.0.14へアップデート

変更内容

本セキュリティアップデートでは、以下の修正が実施されました：

無限リダイレクトループを防ぐため、最大リダイレクト回数（5回）の制限を導入
元のリクエストと同じスキーム（HTTP/HTTPS）のみにリダイレクトを制限
SSRFを防止するため、プライベートネットワークアドレスへのリダイレクトをブロック

アップデート方法

以下のコマンドで最新のセキュアバージョンにアップデートできます：

# npmユーザーの場合
npm update @fedify/fedify

# Denoユーザーの場合
deno add jsr:@fedify/fedify

この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。

本脆弱性の詳細については、セキュリティ勧告をご参照ください。

ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

취약점 내용

보안 연구자가 Fedify의 lookupWebFinger() 함수에서 다음과 같은 보안 문제점들을 발견했습니다:

무한 리다이렉트 루프를 통한 서비스 거부 공격 가능
내부 네트워크 주소로의 리다이렉트를 통한 SSRF (서버측 요청 위조) 공격 가능
리다이렉트 조작을 통한 의도하지 않은 URL 스킴 접근 가능

수정된 버전

1.3.x 시리즈: 1.3.4로 업데이트
1.2.x 시리즈: 1.2.11로 업데이트
1.1.x 시리즈: 1.1.11로 업데이트
1.0.x 시리즈: 1.0.14로 업데이트

변경 사항

이번 보안 업데이트에는 다음과 같은 수정 사항이 포함되어 있습니다:

무한 리다이렉트 루프를 방지하기 위해 최대 리다이렉트 횟수 제한(5회) 도입
원래 요청과 동일한 스킴(HTTP/HTTPS)으로만 리다이렉트 허용하도록 제한
SSRF 공격 방지를 위해 내부 네트워크 주소로의 리다이렉트 차단

업데이트 방법

다음 명령어로 최신 보안 버전으로 업데이트하실 수 있습니다:

# npm 사용자의 경우
npm update @fedify/fedify

# Deno 사용자의 경우
deno add jsr:@fedify/fedify

이 취약점을 책임감 있게 보고해 주신 보안 연구자께 감사드립니다. 덕분에 신속하게 문제를 해결할 수 있었습니다.

이 취약점에 대한 자세한 내용은 보안 권고문을 참고해 주시기 바랍니다.

문의 사항이나 우려 사항이 있으시다면 GitHub Discussions나 Matrix 채팅방, 또는 Discord 서버를 통해 언제든 연락해 주시기 바랍니다.

#보안 #보안패치 #취약점 #SSRF

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework

@fedify@hollo.social

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

Perform denial of service attacks through infinite redirect loops
Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
Access unintended URL schemes through redirect manipulation

Fixed Versions

1.3.x series: Update to 1.3.4
1.2.x series: Update to 1.2.11
1.1.x series: Update to 1.1.11
1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

Added a maximum redirect limit (5) to prevent infinite redirect loops
Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

@reiver ⊼ (Charles)

@reiver@mastodon.social · Reply to @reiver ⊼ (Charles) :batman:'s post

webfinger & fediverse

Issue №4:

Having to make one HTTP to WebFinger to resolve a Fediverse ID (such as "＠joeblow＠example·com"), and then make another HTTP request to get the activity document ("application/activity+json") — adds an extra HTTP request.

Using a well-known path to resolve the Fediverse ID and get the activity document ("application/activity+json") — in one HTTP request would be better.

...

@reiver ⊼ (Charles)

@reiver@mastodon.social · Reply to @reiver ⊼ (Charles) :batman:'s post

webfinger & fediverse

Issue №3:

If we are going to use Internet domain-names, maybe host-meta could be replaced by a DNS TXT or DNS SRV record — that is used to specify what host to connect to to resolved a Fediverse ID like "＠joeblow＠example·com" to an activity document ("application/activity+json").

...

@reiver ⊼ (Charles)

@reiver@mastodon.social · Reply to @reiver ⊼ (Charles) :batman:'s post

webfinger & fediverse

Issue №2:

host-meta is in XML (where everything else is in JSON).

I am NOT saying I am a fan of JSON, but — I think it would be easier for developers if only JSON xor XML was used (but not both).

(host-meta is used to specify where WebFinger is. It does not necessarily have to be at "/.well-known/webfinger". And doesn't have to be on the same host.)

...

@reiver ⊼ (Charles)

@reiver@mastodon.social · Reply to @reiver ⊼ (Charles) :batman:'s post

webfinger & fediverse

Issue №1:

host-meta is yet another format to write encoders and decoders for.

(host-meta is used to specify where WebFinger is. It does not necessarily have to be at "/.well-known/webfinger". And doesn't have to be on the same host.)

...

@reiver ⊼ (Charles)

@reiver@mastodon.social · Reply to @reiver ⊼ (Charles) :batman:'s post

webfinger & fediverse

Their reason (for wanting to replace WebFinger):

“While useful, Webfinger is not part of the ActivityPub specification”

Why does that matter?

Having said that, (I do think) there some issues with WebFinger that could motivate one to replace it.

But that would mean that — any replacement MUST address these issues.

...

https://github.com/mastodon/mastodon/issues/17030

@reiver ⊼ (Charles)

@reiver@mastodon.social

webfinger & fediverse

It seems like someone wants everyone on the Fedivese to stop using WebFinger.

(WebFinger is used to resolve a Fediverse ID like "＠joeblow＠example·com" to an activity document ("application/activity+json").)

...

#ActivityPub #AtomFeed #Fediverse #WebFinger

ALT text details

Ditching the webfinger requirement #17030 While useful, Webfinger is not part of the ActivityPub specification itself, and the ad-hoc mechanism from going from an ActivityPub actor URI to a canonical acct: URI is pretty clunky.

@reiver ⊼ (Charles)

@reiver@mastodon.social

The Fediverse's usage of rel-self in WebFinger, to point to an ActivityPub Activity file (application/activity+json), seem different than how Atom feeds uses rel-self.

The semantics seem different.

(I am assuming ActivityPub borrowed rel-self from Atom feeds.)

Ку 🇧🇬🇪🇺

@kunev@kitty.social

#Debugging #activitypub implementations seems to be quite hard. I've got a pretty simple server set up that for now only serves information for one Actor of type Service. My goal at some point is to have this be a working bot that does things. But for the time being I'm still struggling to get other servers to actually consume that actor from my server. I've got #webfinger working I believe correctly (here) and the ID it returns responds with what seems to me like a valid Actor json-id (here). However the several instances I've tried accessing it from all seem to not be able to consume that for any reason. Misskeys end up with an An error has occurred message, mastodons just say they're not finding anything.

With the misskeys at least I see a request coming in to /.well-known/webfinger, but mastodon instances don't seem to attempt to make any call, even if I search directly for the URL of the actor object. Meanwhile fedify lookup seems to be fine with what it gets from the webfinger request since it then proceeds to hit the actor URL as well and prints out the json-ld it gets from it.

There don't seem to be any tools that I can point at a resource and have them tell me what it is I haven't implemented properly which is a bit frustrating.

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

The #Fedify docs now have a section on actor identifiers and #WebFinger usernames.

https://unstable.fedify.dev/manual/actor#actor-identifier-and-webfinger-username

Maho Pacheco 🦝🍻

@mapache@hachyderm.io

Part 3 of "A Guide to Implementing ActivityPub in a Static Site (or Any Website)" is just out the oven!

In this blog post, I explain how to make your blog discoverable in the Fediverse as an account, and also address some of the annoying pitfalls I encountered.

Full article here: https://maho.dev/2024/02/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-3/

If you like it don't forget to follow the @blog !

#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

#Fedify 프레임워크는 #연합우주 (#fediverse) 개발에 중요한 기능들을 기본으로 내장하고 있습니다:

#WebFinger 클라이언트와 서버
HTTP 서명 (HTTP Signatures)
객체 무결성 증명 (Object Integrity Proofs)
NodeInfo 프로토콜
바퀴를 재발명할 필요 없어요—#ActivityPub 표준을 위한 핵심 기능을 갖추고 있습니다! 📦

Fedify: an ActivityPub server framework

@fedify@hollo.social · Reply to Fedify: an ActivityPub server framework's post

Out of the box, #Fedify comes packed with features crucial for #fediverse development:

#WebFinger client and server
HTTP Signatures
Object Integrity Proofs
NodeInfo protocol
No need to reinvent the wheel—Fedify has you covered for core #ActivityPub standards! 📦

洪民憙 (Hong Minhee) 🤏🏼

@hongminhee@todon.eu

#Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

• Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
• #WebFinger client and server
• HTTP Signatures
• Middleware for handling webhooks
• #NodeInfo protocol
• #Node.js, #Deno, and #Bun support
• CLI toolchain for testing and debugging

If you're curious, take a look at the Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more: