Skip to content

Harden WebFinger redirect and private-address handling #903

Description

@dahlia

Why

@fedify/webfinger already rejects private-address lookups by default and revalidates redirect targets in packages/webfinger/src/lookup.ts. That is the right direction, but WebFinger is often called on remote input. Its redirect policy should be explicit, well tested, and hard to loosen by accident.

The goal is to make the SSRF boundary easier to audit, not to change the default trust model.

Current code

lookupWebFinger() uses validatePublicUrl() before each fetch unless allowPrivateAddress is true. Redirects are followed manually, cross-protocol redirects are rejected, malformed Location headers are rejected, and maxRedirection has regression tests in packages/webfinger/src/lookup.test.ts.

Scope

Tighten and document the redirect policy in code and tests. Useful cases to cover include:

  • redirects that change from a public hostname to a private IP literal;
  • redirects that use IPv6 loopback or IPv4-mapped IPv6 addresses;
  • redirects with credentials in the authority component;
  • redirects whose normalized host differs from the visible input in a way that could hide a private target;
  • metric attributes for blocked redirect targets, especially activitypub.remote.host.

If validatePublicUrl() already handles a case, add a regression test here so the WebFinger boundary is covered directly.

Non-goals

Do not allow cross-protocol redirects. Do not make private-address lookup opt-out by default. Do not add network DNS probing unless it is already part of the shared URL validation layer.

Suggested checks

Extend packages/webfinger/src/lookup.test.ts with focused redirect cases. If shared URL helpers need coverage, add tests close to their implementation as well.

Metadata

Metadata

Assignees

No one assigned

    Priority

    Low

    Effort

    High

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions