Why
@fedify/webfinger already rejects private-address lookups by default and revalidates redirect targets in packages/webfinger/src/lookup.ts. That is the right direction, but WebFinger is often called on remote input. Its redirect policy should be explicit, well tested, and hard to loosen by accident.
The goal is to make the SSRF boundary easier to audit, not to change the default trust model.
Current code
lookupWebFinger() uses validatePublicUrl() before each fetch unless allowPrivateAddress is true. Redirects are followed manually, cross-protocol redirects are rejected, malformed Location headers are rejected, and maxRedirection has regression tests in packages/webfinger/src/lookup.test.ts.
Scope
Tighten and document the redirect policy in code and tests. Useful cases to cover include:
- redirects that change from a public hostname to a private IP literal;
- redirects that use IPv6 loopback or IPv4-mapped IPv6 addresses;
- redirects with credentials in the authority component;
- redirects whose normalized host differs from the visible input in a way that could hide a private target;
- metric attributes for blocked redirect targets, especially
activitypub.remote.host.
If validatePublicUrl() already handles a case, add a regression test here so the WebFinger boundary is covered directly.
Non-goals
Do not allow cross-protocol redirects. Do not make private-address lookup opt-out by default. Do not add network DNS probing unless it is already part of the shared URL validation layer.
Suggested checks
Extend packages/webfinger/src/lookup.test.ts with focused redirect cases. If shared URL helpers need coverage, add tests close to their implementation as well.
Why
@fedify/webfingeralready rejects private-address lookups by default and revalidates redirect targets in packages/webfinger/src/lookup.ts. That is the right direction, but WebFinger is often called on remote input. Its redirect policy should be explicit, well tested, and hard to loosen by accident.The goal is to make the SSRF boundary easier to audit, not to change the default trust model.
Current code
lookupWebFinger()usesvalidatePublicUrl()before each fetch unlessallowPrivateAddressis true. Redirects are followed manually, cross-protocol redirects are rejected, malformedLocationheaders are rejected, andmaxRedirectionhas regression tests in packages/webfinger/src/lookup.test.ts.Scope
Tighten and document the redirect policy in code and tests. Useful cases to cover include:
activitypub.remote.host.If
validatePublicUrl()already handles a case, add a regression test here so the WebFinger boundary is covered directly.Non-goals
Do not allow cross-protocol redirects. Do not make private-address lookup opt-out by default. Do not add network DNS probing unless it is already part of the shared URL validation layer.
Suggested checks
Extend packages/webfinger/src/lookup.test.ts with focused redirect cases. If shared URL helpers need coverage, add tests close to their implementation as well.