Merge tag '2.1.1'

Fedify 2.1.1

Author: dahlia

.github/workflows/build.yaml

@@ -55,17 +55,12 @@ jobs:
             echo "Skipping private package: $pkg"
             continue
           fi
-          if [[ "$TAG" = "latest" ]]; then
-            npm publish --logs-dir=. --provenance --access public "$pkg" \
-              || grep "Cannot publish over previously published version" *.log
-          else
-            npm publish \
-              --logs-dir=. \
-              --provenance \
-              --access public \
-              --tag "$TAG" \
-              "$pkg" \
-              || grep "Cannot publish over previously published version" *.log
-          fi
+          npm publish \
+            --logs-dir=. \
+            --provenance \
+            --access public \
+            --tag "$TAG" \
+            "$pkg" \
+            || grep "Cannot publish over previously published version" *.log
           rm -f *.log
         done

CHANGES.md

@@ -9,6 +9,28 @@ Version 2.2.0
 To be released.
 
 
+Version 2.1.1
+-------------
+
+Released on March 27, 2026.
+
+### @fedify/fedify
+
+ -  Limited the number of HTTP redirects followed by the remote document
+    loaders and signed HTTP fetches to mitigate resource exhaustion during
+    remote key and document resolution.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Stopped the remote document loaders and signed HTTP fetches from
+    revisiting the same URL within a redirect chain, preventing
+    self-referential redirect loops.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Persisted negative public key cache entries for failed remote key
+    fetches, reducing repeated retries against the same unavailable key
+    across requests.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+[CVE-2026-34148]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp
+
+
 Version 2.1.0
 -------------
 
@@ -210,6 +232,26 @@ Released on March 24, 2026.
 [#599]: https://github.com/fedify-dev/fedify/pull/599
 
 
+Version 2.0.8
+-------------
+
+Released on March 27, 2026.
+
+### @fedify/fedify
+
+ -  Limited the number of HTTP redirects followed by the remote document
+    loaders and signed HTTP fetches to mitigate resource exhaustion during
+    remote key and document resolution.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Stopped the remote document loaders and signed HTTP fetches from
+    revisiting the same URL within a redirect chain, preventing
+    self-referential redirect loops.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Persisted negative public key cache entries for failed remote key
+    fetches, reducing repeated retries against the same unavailable key
+    across requests.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+
 Version 2.0.7
 -------------
 
@@ -924,6 +966,26 @@ Released on February 22, 2026.
 [#351]: https://github.com/fedify-dev/fedify/issues/351
 
 
+Version 1.10.5
+--------------
+
+Released on March 27, 2026.
+
+### @fedify/fedify
+
+ -  Limited the number of HTTP redirects followed by the remote document
+    loaders and signed HTTP fetches to mitigate resource exhaustion during
+    remote key and document resolution.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Stopped the remote document loaders and signed HTTP fetches from
+    revisiting the same URL within a redirect chain, preventing
+    self-referential redirect loops.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Persisted negative public key cache entries for failed remote key
+    fetches, reducing repeated retries against the same unavailable key
+    across requests.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+
 Version 1.10.4
 --------------
 
@@ -1077,6 +1139,26 @@ Released on December 24, 2025.
  -  Implemented `list()` method in `WorkersKvStore`.  [[#498], [#500]]
 
 
+Version 1.9.6
+-------------
+
+Released on March 27, 2026.
+
+### @fedify/fedify
+
+ -  Limited the number of HTTP redirects followed by the remote document
+    loaders and signed HTTP fetches to mitigate resource exhaustion during
+    remote key and document resolution.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Stopped the remote document loaders and signed HTTP fetches from
+    revisiting the same URL within a redirect chain, preventing
+    self-referential redirect loops.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Persisted negative public key cache entries for failed remote key
+    fetches, reducing repeated retries against the same unavailable key
+    across requests.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+
 Version 1.9.5
 -------------
 

packages/fedify/src/sig/http.test.ts

@@ -1775,6 +1775,82 @@ test("doubleKnock() complex redirect chain test", async () => {
   fetchMock.hardReset();
 });
 
+test("doubleKnock() throws on too many redirects", async () => {
+  fetchMock.spyGlobal();
+
+  let requestCount = 0;
+  fetchMock.post("begin:https://example.com/too-many-redirects/", (cl) => {
+    requestCount++;
+    const index = Number(cl.url.split("/").at(-1));
+    return Response.redirect(
+      `https://example.com/too-many-redirects/${index + 1}`,
+      302,
+    );
+  });
+
+  const request = new Request("https://example.com/too-many-redirects/0", {
+    method: "POST",
+    body: "Redirect loop",
+    headers: {
+      "Content-Type": "text/plain",
+    },
+  });
+
+  await assertRejects(
+    () =>
+      doubleKnock(
+        request,
+        {
+          keyId: rsaPublicKey2.id!,
+          privateKey: rsaPrivateKey2,
+        },
+      ),
+    Error,
+    "Too many redirections",
+  );
+  assertEquals(requestCount, 21);
+
+  fetchMock.hardReset();
+});
+
+test("doubleKnock() detects redirect loops", async () => {
+  fetchMock.spyGlobal();
+
+  let requestCount = 0;
+  fetchMock.post("https://example.com/redirect-loop-a", () => {
+    requestCount++;
+    return Response.redirect("https://example.com/redirect-loop-b", 302);
+  });
+  fetchMock.post("https://example.com/redirect-loop-b", () => {
+    requestCount++;
+    return Response.redirect("https://example.com/redirect-loop-a", 302);
+  });
+
+  const request = new Request("https://example.com/redirect-loop-a", {
+    method: "POST",
+    body: "Redirect loop",
+    headers: {
+      "Content-Type": "text/plain",
+    },
+  });
+
+  await assertRejects(
+    () =>
+      doubleKnock(
+        request,
+        {
+          keyId: rsaPublicKey2.id!,
+          privateKey: rsaPrivateKey2,
+        },
+      ),
+    Error,
+    "Redirect loop detected",
+  );
+  assertEquals(requestCount, 2);
+
+  fetchMock.hardReset();
+});
+
 test("doubleKnock() async specDeterminer test", async () => {
   // Install mock fetch handler
   fetchMock.spyGlobal();

packages/fedify/src/sig/http.ts

@@ -1,5 +1,5 @@
 import { CryptographicKey } from "@fedify/vocab";
-import type { DocumentLoader } from "@fedify/vocab-runtime";
+import { type DocumentLoader, FetchError } from "@fedify/vocab-runtime";
 import { getLogger } from "@logtape/logtape";
 import {
   type Span,
@@ -34,6 +34,8 @@ import {
   validateCryptoKey,
 } from "./key.ts";
 
+const DEFAULT_MAX_REDIRECTION = 20;
+
 /**
  * The standard to use for signing and verifying HTTP signatures.
  * @since 1.6.0
@@ -1605,8 +1607,19 @@ export async function doubleKnock(
   request: Request,
   identity: { keyId: URL; privateKey: CryptoKey },
   options: DoubleKnockOptions = {},
+): Promise<Response> {
+  return await doubleKnockInternal(request, identity, options);
+}
+
+async function doubleKnockInternal(
+  request: Request,
+  identity: { keyId: URL; privateKey: CryptoKey },
+  options: DoubleKnockOptions,
+  redirected = 0,
+  visited = new Set<string>(),
 ): Promise<Response> {
   const { specDeterminer, log, tracerProvider, signal } = options;
+  visited.add(request.url);
   const origin = new URL(request.url).origin;
   const firstTrySpec: HttpMessageSignaturesSpec = specDeterminer == null
     ? "rfc9421"
@@ -1638,11 +1651,26 @@ export async function doubleKnock(
     response.status >= 300 && response.status < 400 &&
     response.headers.has("Location")
   ) {
+    if (redirected >= DEFAULT_MAX_REDIRECTION) {
+      throw new FetchError(
+        request.url,
+        `Too many redirections (${redirected + 1})`,
+      );
+    }
     const location = response.headers.get("Location")!;
-    return doubleKnock(
-      createRedirectRequest(request, location, body),
+    const redirectRequest = createRedirectRequest(request, location, body);
+    if (visited.has(redirectRequest.url)) {
+      throw new FetchError(
+        request.url,
+        `Redirect loop detected: ${redirectRequest.url}`,
+      );
+    }
+    return doubleKnockInternal(
+      redirectRequest,
       identity,
       { ...options, body },
+      redirected + 1,
+      visited,
     );
   } else if (
     // FIXME: Temporary hotfix for Mastodon RFC 9421 implementation bug (as of 2025-06-19).
@@ -1764,11 +1792,26 @@ export async function doubleKnock(
       response.status >= 300 && response.status < 400 &&
       response.headers.has("Location")
     ) {
+      if (redirected >= DEFAULT_MAX_REDIRECTION) {
+        throw new FetchError(
+          request.url,
+          `Too many redirections (${redirected + 1})`,
+        );
+      }
       const location = response.headers.get("Location")!;
-      return doubleKnock(
-        createRedirectRequest(request, location, body),
+      const redirectRequest = createRedirectRequest(request, location, body);
+      if (visited.has(redirectRequest.url)) {
+        throw new FetchError(
+          request.url,
+          `Redirect loop detected: ${redirectRequest.url}`,
+        );
+      }
+      return doubleKnockInternal(
+        redirectRequest,
         identity,
         { ...options, body },
+        redirected + 1,
+        visited,
       );
     } else if (response.status !== 400 && response.status !== 401) {
       await specDeterminer?.rememberSpec(origin, spec);

packages/vocab-runtime/src/docloader.test.ts

@@ -369,6 +369,73 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  let redirectAttempts = 0;
+  fetchMock.get("begin:https://example.com/too-many-redirects/", (cl) => {
+    redirectAttempts++;
+    const index = Number(cl.url.split("/").at(-1));
+    return {
+      status: 302,
+      headers: {
+        Location: `https://example.com/too-many-redirects/${index + 1}`,
+      },
+    };
+  });
+
+  await t.test("too many redirects", async () => {
+    redirectAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/too-many-redirects/0"),
+      FetchError,
+      "Too many redirections",
+    );
+    deepStrictEqual(redirectAttempts, 21);
+  });
+
+  let loopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-a", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-b" },
+    };
+  });
+  fetchMock.get("https://example.com/redirect-loop-b", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-a" },
+    };
+  });
+
+  await t.test("redirect loop", async () => {
+    loopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-a"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(loopAttempts, 2);
+  });
+
+  let relativeLoopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-relative", () => {
+    relativeLoopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "/redirect-loop-relative" },
+    };
+  });
+
+  await t.test("redirect loop with relative location", async () => {
+    relativeLoopAttempts = 0;
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-relative"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    deepStrictEqual(relativeLoopAttempts, 1);
+  });
+
   // Regression test for ReDoS vulnerability (CVE-2025-68475)
   // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
   // With the vulnerable regex, this causes catastrophic backtracking