Address review feedback on public audience normalization

dahlia · dahlia · commit e4798bab3716 · 2026-04-22T16:05:43.000+09:00
- Iterate over own keys only (Object.keys) instead of for...in in hasPublicCurieInAddressing and rewritePublicAudience, so enumerable inherited properties on the incoming (potentially adversarial) JSON-LD record are not copied into the normalized output. Addresses fedify-dev#710 (comment) and fedify-dev#710 (comment). - Add a URDNA2015 fast-path for JSON-LD documents whose @context is composed entirely of string IRIs. In that case no inline context entry can redefine the `as:` prefix or the bare `Public` term, so the rewrite is provably semantics-preserving and the canonicalization equivalence check can be skipped. Only documents that embed an inline @context object continue to pay the canonicalization cost. Addresses fedify-dev#710 (comment). - Accept either the on-wire form or the normalized form in verifyProof(). createProof() signs the bytes produced *after* normalization, but signObject()'s return value still serializes back to the `as:Public` CURIE form by default, so a caller doing an in-memory sign -> reserialize -> verify round-trip would have seen a spurious signature mismatch. verifyProof() now tries the input as-is first (preserving verification of signatures produced by other implementations that signed the CURIE form) and falls back to the normalized form when the original fails, restoring the signObject()/verifyProof() API contract. Addresses fedify-dev#710 (comment). Added regression tests: the string-only-context fast path uses a throwing contextLoader to prove URDNA2015 is not invoked; a prototype-pollution test confirms inherited keys are not rewritten; and the signObject() test now also verifies a proof directly from `signed.toJsonLd({ format: "compact" })` output (which still contains `as:Public`), exercising the verifyProof() fallback. Assisted-By: Claude Code:claude-opus-4-7
diff --git a/packages/fedify/src/compat/public-audience.test.ts b/packages/fedify/src/compat/public-audience.test.ts
@@ -76,6 +76,45 @@ test("normalizePublicAudience() leaves non-addressing fields untouched", async (
   assertEquals(output.to, PUBLIC_URI);
 });
 
+test("normalizePublicAudience() rewrites without canonicalization for string-only contexts", async () => {
+  // A contextLoader that always throws ensures the canonicalization path
+  // is not taken: if the implementation hit URDNA2015, it would fail.
+  const rejecting: Parameters<typeof normalizePublicAudience>[1] = () => {
+    throw new Error(
+      "contextLoader should not be called for a string-only @context",
+    );
+  };
+  const singleString = await normalizePublicAudience({
+    "@context": AS_CONTEXT,
+    type: "Note",
+    id: "https://example.com/notes/fast1",
+    to: "as:Public",
+  }, rejecting) as Record<string, unknown>;
+  assertEquals(singleString.to, PUBLIC_URI);
+  const arrayOfStrings = await normalizePublicAudience({
+    "@context": [AS_CONTEXT, "https://w3id.org/security/data-integrity/v1"],
+    type: "Note",
+    id: "https://example.com/notes/fast2",
+    to: "as:Public",
+  }, rejecting) as Record<string, unknown>;
+  assertEquals(arrayOfStrings.to, PUBLIC_URI);
+});
+
+test("normalizePublicAudience() does not traverse prototype-polluted keys", async () => {
+  const polluted = Object.create({ to: "as:Public" });
+  polluted["@context"] = AS_CONTEXT;
+  polluted.type = "Note";
+  polluted.id = "https://example.com/notes/proto";
+  const output = await normalizePublicAudience(polluted) as Record<
+    string,
+    unknown
+  >;
+  // The inherited `to` is not copied into the normalized record, so `to`
+  // stays inherited from the prototype with its original CURIE value and
+  // is not a rewritten own property.
+  assertEquals(Object.hasOwn(output, "to"), false);
+});
+
 test("normalizePublicAudience() bails out when the rewrite changes semantics", async () => {
   const input = {
     "@context": {
diff --git a/packages/fedify/src/compat/public-audience.ts b/packages/fedify/src/compat/public-audience.ts
@@ -27,7 +27,7 @@ function hasPublicCurieInAddressing(
   }
   if (typeof value !== "object" || value == null) return false;
   const record = value as Record<string, unknown>;
-  for (const key in record) {
+  for (const key of Object.keys(record)) {
     if (hasPublicCurieInAddressing(record[key], key)) return true;
   }
   return false;
@@ -48,28 +48,48 @@ function rewritePublicAudience(value: unknown, parentKey?: string): unknown {
   if (typeof value !== "object" || value == null) return value;
   const record = value as Record<string, unknown>;
   const normalized: Record<string, unknown> = {};
-  for (const key in record) {
+  for (const key of Object.keys(record)) {
     normalized[key] = rewritePublicAudience(record[key], key);
   }
   return normalized;
 }
 
+/**
+ * Checks whether the `@context` of a JSON-LD document consists exclusively
+ * of string (IRI) entries.  When that is the case, an application-defined
+ * inline context cannot redefine the `as:` prefix or the bare `Public`
+ * term, so the rewrite can be applied without running URDNA2015
+ * canonicalization to verify equivalence.
+ */
+function hasOnlyStringContext(jsonLd: unknown): boolean {
+  if (typeof jsonLd !== "object" || jsonLd == null) return false;
+  const record = jsonLd as Record<string, unknown>;
+  if (!Object.hasOwn(record, "@context")) return false;
+  const ctx = record["@context"];
+  if (typeof ctx === "string") return true;
+  if (Array.isArray(ctx)) return ctx.every((item) => typeof item === "string");
+  return false;
+}
+
 /**
  * Rewrites the compact `as:Public` / `Public` CURIE appearing in activity
  * addressing fields (`to`, `cc`, `bto`, `bcc`, `audience`) to the fully
  * expanded `https://www.w3.org/ns/activitystreams#Public` URI.
  *
- * Several ActivityPub implementations — Lemmy among them — match these
+ * Several ActivityPub implementations, Lemmy among them, match these
  * fields as plain URLs without running JSON-LD expansion, and silently
  * drop activities whose public addressing appears in CURIE form.  This
  * helper works around that gap.
  *
- * The rewrite is gated on a JSON-LD equivalence check: both forms are
- * canonicalized with URDNA2015 and the resulting N-Quads are compared.
- * When they differ — which indicates an application-defined `@context`
- * that redefines the `as:` prefix or the bare `Public` term — the
- * original document is returned unchanged so semantics are preserved.
- * Canonicalization failures also fall back to the original document.
+ * For documents whose `@context` consists only of string IRIs, the rewrite
+ * is applied directly: external contexts cannot redefine the `as:` prefix
+ * or the bare `Public` term for a given document, so the semantics are
+ * preserved by construction.  When `@context` includes an inline object
+ * that might redefine those terms, the rewrite is gated on a JSON-LD
+ * equivalence check; both forms are canonicalized with URDNA2015 and the
+ * resulting N-Quads are compared.  When they differ, the original
+ * document is returned unchanged.  Canonicalization failures also fall
+ * back to the original document.
  *
  * Must be called before any signing step that canonicalizes the
  * compact form byte-for-byte (for example, Object Integrity Proofs
@@ -82,6 +102,7 @@ export async function normalizePublicAudience(
 ): Promise<unknown> {
   if (!hasPublicCurieInAddressing(jsonLd)) return jsonLd;
   const normalized = rewritePublicAudience(jsonLd);
+  if (hasOnlyStringContext(jsonLd)) return normalized;
   const loader = contextLoader ?? getDocumentLoader();
   try {
     const [before, after] = await Promise.all([
diff --git a/packages/fedify/src/sig/proof.test.ts b/packages/fedify/src/sig/proof.test.ts
@@ -302,7 +302,7 @@ test("signObject()", async () => {
   ) as Record<string, unknown>;
   assertEquals(signedJson.to, PUBLIC_COLLECTION.href);
   const verifyCache: Record<string, CryptographicKey | Multikey | null> = {};
-  const verifyingKey = await verifyProof(signedJson, proof, {
+  const verifyOptions: VerifyProofOptions = {
     contextLoader: mockDocumentLoader,
     documentLoader: mockDocumentLoader,
     keyCache: {
@@ -312,8 +312,28 @@ test("signObject()", async () => {
         return Promise.resolve();
       },
     },
-  });
+  };
+  const verifyingKey = await verifyProof(signedJson, proof, verifyOptions);
   assertInstanceOf(verifyingKey, Multikey);
+
+  // Round-trip regression guard: `signObject()` returns a vocab object
+  // whose default `toJsonLd({ format: "compact" })` output still compacts
+  // the public audience to the `as:Public` CURIE, even though the bytes
+  // signed by `createProof()` were first normalized to the expanded URI.
+  // `verifyProof()` must accept either form so the in-memory pipeline
+  // (sign, reserialize, verify) continues to work without every caller
+  // having to know about the public-audience compat helper.
+  const signedJsonWithCurie = await signed.toJsonLd(options) as Record<
+    string,
+    unknown
+  >;
+  assertEquals(signedJsonWithCurie.to, "as:Public");
+  const verifyingKeyFromCurie = await verifyProof(
+    signedJsonWithCurie,
+    proof,
+    verifyOptions,
+  );
+  assertInstanceOf(verifyingKeyFromCurie, Multikey);
 });
 
 test("hasProofLike()", () => {
diff --git a/packages/fedify/src/sig/proof.ts b/packages/fedify/src/sig/proof.ts
@@ -358,18 +358,19 @@ async function verifyProofInternal(
     proofPurpose: proof.proofPurpose,
     created: proof.created.toString(),
   };
-  const proofCanon = serialize(proofConfig);
   const encoder = new TextEncoder();
-  const proofBytes = encoder.encode(proofCanon);
+  const proofBytes = encoder.encode(serialize(proofConfig));
   const proofDigest = await crypto.subtle.digest("SHA-256", proofBytes);
   const msg = { ...jsonLd };
   if ("proof" in msg) delete msg.proof;
-  const msgCanon = serialize(msg);
-  const msgBytes = encoder.encode(msgCanon);
-  const msgDigest = await crypto.subtle.digest("SHA-256", msgBytes);
-  const digest = new Uint8Array(proofDigest.byteLength + msgDigest.byteLength);
-  digest.set(new Uint8Array(proofDigest), 0);
-  digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
+  // Try the on-wire form first, then fall back to the public-audience
+  // normalized form so that signatures created by `createProof` (which
+  // signs the normalized bytes) still verify when the caller passes the
+  // default `toJsonLd({ format: "compact" })` output that still carries
+  // the `as:Public` CURIE.
+  const candidates: unknown[] = [msg];
+  const normalized = await normalizePublicAudience(msg, options.contextLoader);
+  if (normalized !== msg) candidates.push(normalized);
   let fetchedKey: FetchKeyResult<Multikey> | null;
   try {
     fetchedKey = await publicKeyPromise;
@@ -410,34 +411,41 @@ async function verifyProofInternal(
     );
     return null;
   }
-  const verified = await crypto.subtle.verify(
-    "Ed25519",
-    publicKey.publicKey,
-    proof.proofValue.slice(),
-    digest,
-  );
-  if (!verified) {
-    if (fetchedKey.cached) {
-      logger.debug(
-        "Failed to verify the proof with the cached key {keyId}; retrying " +
-          "with the freshly fetched key...",
-        { keyId: proof.verificationMethodId.href, proof },
-      );
-      return await verifyProof(jsonLd, proof, {
-        ...options,
-        keyCache: {
-          get: () => Promise.resolve(undefined),
-          set: async (keyId, key) => await options.keyCache?.set(keyId, key),
-        },
-      });
-    }
+  for (const candidate of candidates) {
+    const msgBytes = encoder.encode(serialize(candidate));
+    const msgDigest = await crypto.subtle.digest("SHA-256", msgBytes);
+    const digest = new Uint8Array(
+      proofDigest.byteLength + msgDigest.byteLength,
+    );
+    digest.set(new Uint8Array(proofDigest), 0);
+    digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
+    const verified = await crypto.subtle.verify(
+      "Ed25519",
+      publicKey.publicKey,
+      proof.proofValue.slice(),
+      digest,
+    );
+    if (verified) return publicKey;
+  }
+  if (fetchedKey.cached) {
     logger.debug(
-      "Failed to verify the proof with the fetched key {keyId}:\n{proof}",
+      "Failed to verify the proof with the cached key {keyId}; retrying " +
+        "with the freshly fetched key...",
       { keyId: proof.verificationMethodId.href, proof },
     );
-    return null;
+    return await verifyProof(jsonLd, proof, {
+      ...options,
+      keyCache: {
+        get: () => Promise.resolve(undefined),
+        set: async (keyId, key) => await options.keyCache?.set(keyId, key),
+      },
+    });
   }
-  return publicKey;
+  logger.debug(
+    "Failed to verify the proof with the fetched key {keyId}:\n{proof}",
+    { keyId: proof.verificationMethodId.href, proof },
+  );
+  return null;
 }
 
 /**
