Merge tag '1.0.7' into 1.1-maintenance

Fedify 1.0.7

CHANGES.md

@@ -8,6 +8,10 @@ Version 1.1.3
 
 To be released.
 
+ -  Fixed a bug where `fetchDocumentLoader()` function had disallowed
+    redirecting to a private network address when the second parameter,
+    a `boolean` value to allow private network addresses, was `true`.
+
 
 Version 1.1.2
 -------------
@@ -129,6 +133,16 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.7
+-------------
+
+Released on October 31, 2024.
+
+ -  Fixed a bug where `fetchDocumentLoader()` function had disallowed
+    redirecting to a private network address when the second parameter,
+    a `boolean` value to allow private network addresses, was `true`.
+
+
 Version 1.0.6
 -------------
 
@@ -368,6 +382,16 @@ Released on September 26, 2024.
 [#137]: https://github.com/dahlia/fedify/issues/137
 
 
+Version 0.15.5
+--------------
+
+Released on October 30, 2024.
+
+ -  Fixed a bug where `fetchDocumentLoader()` function had disallowed
+    redirecting to a private network address when the second parameter,
+    a `boolean` value to allow private network addresses, was `true`.
+
+
 Version 0.15.4
 --------------
 

src/runtime/docloader.test.ts

@@ -217,8 +217,6 @@ test("fetchDocumentLoader()", async (t) => {
     );
   });
 
-  mf.uninstall();
-
   await t.step("preloaded contexts", async () => {
     for (const [url, document] of Object.entries(preloadedContexts)) {
       assertEquals(await fetchDocumentLoader(url), {
@@ -236,12 +234,69 @@ test("fetchDocumentLoader()", async (t) => {
     );
   });
 
-  await t.step("deny private network", async () => {
+  mf.mock(
+    "GET@/localhost-redirect",
+    (_req) => Response.redirect("https://localhost/object", 302),
+  );
+
+  mf.mock("GET@/localhost-link", (_req) =>
+    new Response(
+      `<html>
+        <head>
+          <meta charset=utf-8>
+          <link
+            rel=alternate
+            type='application/activity+json'
+            href="https://localhost/object">
+        </head>
+      </html>`,
+      {
+        status: 200,
+        headers: { "Content-Type": "text/html; charset=utf-8" },
+      },
+    ));
+
+  await t.step("allowPrivateAddress: false", async () => {
+    await assertRejects(
+      () => fetchDocumentLoader("https://localhost/object"),
+      UrlError,
+    );
+    await assertRejects(
+      () => fetchDocumentLoader("https://example.com/localhost-redirect"),
+      UrlError,
+    );
     await assertRejects(
-      () => fetchDocumentLoader("https://localhost"),
+      () => fetchDocumentLoader("https://example.com/localhost-link"),
       UrlError,
     );
   });
+
+  await t.step("allowPrivateAddress: true", async () => {
+    const expected = {
+      contextUrl: null,
+      documentUrl: "https://localhost/object",
+      document: {
+        "@context": "https://www.w3.org/ns/activitystreams",
+        id: "https://example.com/object",
+        name: "Fetched object",
+        type: "Object",
+      },
+    };
+    assertEquals(
+      await fetchDocumentLoader("https://localhost/object", true),
+      expected,
+    );
+    assertEquals(
+      await fetchDocumentLoader("https://example.com/localhost-redirect", true),
+      expected,
+    );
+    assertEquals(
+      await fetchDocumentLoader("https://example.com/localhost-link", true),
+      expected,
+    );
+  });
+
+  mf.uninstall();
 });
 
 test("getAuthenticatedDocumentLoader()", async (t) => {

src/runtime/docloader.ts

@@ -251,7 +251,10 @@ export async function fetchDocumentLoader(
     response.status >= 300 && response.status < 400 &&
     response.headers.has("Location")
   ) {
-    return fetchDocumentLoader(response.headers.get("Location")!);
+    return fetchDocumentLoader(
+      response.headers.get("Location")!,
+      allowPrivateAddress,
+    );
   }
   return getRemoteDocument(
     url,