Merge branch 'main' into next

dahlia · dahlia · commit 0e4c2ede693d · 2025-12-20T14:04:59.000+09:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -232,6 +232,26 @@ To be released.
 [#493]: https://github.com/fedify-dev/fedify/pull/493
 
 
+Version 1.9.2
+-------------
+
+Released on December 20, 2025.
+
+### @fedify/fedify
+
+ -  Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
+    the document loader's HTML parsing.  An attacker-controlled server could
+    respond with a malicious HTML payload that blocked the event loop.
+    [[CVE-2025-68475]]
+
+### @fedify/sqlite
+
+ -  Fixed `SyntaxError: Identifier 'Temporal' has already been declared` error
+    that occurred when using `SqliteKvStore` on Node.js or Bun.  The error
+    was caused by duplicate `Temporal` imports during the build process.
+    [[#487]]
+
+
 Version 1.9.1
 -------------
 
@@ -549,6 +569,28 @@ Released on October 14, 2025.
     CommonJS-based Node.js applications.  [[#429], [#431]]
 
 
+Version 1.8.15
+--------------
+
+Released on December 20, 2025.
+
+### @fedify/fedify
+
+ -  Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
+    the document loader's HTML parsing.  An attacker-controlled server could
+    respond with a malicious HTML payload that blocked the event loop.
+    [[CVE-2025-68475]]
+
+### @fedify/sqlite
+
+ -  Fixed `SyntaxError: Identifier 'Temporal' has already been declared` error
+    that occurred when using `SqliteKvStore` on Node.js or Bun.  The error
+    was caused by duplicate `Temporal` imports during the build process.
+    [[#487]]
+
+[#487]: https://github.com/fedify-dev/fedify/issues/487
+
+
 Version 1.8.14
 --------------
 
@@ -984,6 +1026,17 @@ the versioning.
 [iTerm]: https://iterm2.com/
 
 
+Version 1.7.14
+--------------
+
+Released on December 20, 2025.
+
+ -  Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
+    the document loader's HTML parsing.  An attacker-controlled server could
+    respond with a malicious HTML payload that blocked the event loop.
+    [[CVE-2025-68475]]
+
+
 Version 1.7.13
 --------------
 
@@ -1169,6 +1222,19 @@ Released on June 25, 2025.
 [#252]: https://github.com/fedify-dev/fedify/pull/252
 
 
+Version 1.6.13
+--------------
+
+Released on December 20, 2025.
+
+ -  Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in
+    the document loader's HTML parsing.  An attacker-controlled server could
+    respond with a malicious HTML payload that blocked the event loop.
+    [[CVE-2025-68475]]
+
+[CVE-2025-68475]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
+
+
 Version 1.6.12
 --------------
 
diff --git a/docs/manual/kv.md b/docs/manual/kv.md
@@ -127,9 +127,28 @@ const federation = createFederation<void>({
 
 :::
 
+> [!TIP]
+> If you are using Bun, you may encounter a type error in your IDE because
+> TypeScript's language server runs on Node.js and resolves the
+> `@fedify/sqlite` module using Node.js [conditional exports] instead of
+> Bun's.  To fix this, add the following to your *tsconfig.json*:
+>
+> ~~~~ json
+> {
+>   "compilerOptions": {
+>     "moduleResolution": "bundler",
+>     "customConditions": ["bun"]
+>   }
+> }
+> ~~~~
+>
+> This tells TypeScript to use Bun's module resolution when resolving
+> [conditional exports].
+
 [`SqliteKvStore`]: https://jsr.io/@fedify/sqlite/doc/kv/~/SqliteKvStore
 [`node:sqlite`]: https://nodejs.org/api/sqlite.html
 [`bun:sqlite`]: https://bun.com/docs/api/sqlite
+[conditional exports]: https://nodejs.org/api/packages.html#conditional-exports
 
 ### `DenoKvStore` (Deno only)
 
diff --git a/packages/sqlite/src/kv.test.ts b/packages/sqlite/src/kv.test.ts
@@ -1,9 +1,9 @@
 import { PlatformDatabase } from "#sqlite";
+import { SqliteKvStore } from "@fedify/sqlite/kv";
 import * as temporal from "@js-temporal/polyfill";
 import { delay } from "@std/async/delay";
 import assert from "node:assert/strict";
 import { test } from "node:test";
-import { SqliteKvStore } from "@fedify/sqlite/kv";
 
 let Temporal: typeof temporal.Temporal;
 if ("Temporal" in globalThis) {
diff --git a/packages/vocab-runtime/src/docloader.test.ts b/packages/vocab-runtime/src/docloader.test.ts
@@ -1,5 +1,5 @@
 import fetchMock from "fetch-mock";
-import { deepStrictEqual, rejects } from "node:assert";
+import { deepStrictEqual, ok, rejects } from "node:assert";
 import { test } from "node:test";
 import preloadedContexts from "./contexts.ts";
 import { getDocumentLoader } from "./docloader.ts";
@@ -361,5 +361,33 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  // Regression test for ReDoS vulnerability (CVE-2025-68475)
+  // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
+  // With the vulnerable regex, this causes catastrophic backtracking
+  const maliciousPayload = "<a" + ' a="b"'.repeat(30) + " ";
+
+  fetchMock.get("https://example.com/redos", {
+    body: maliciousPayload,
+    headers: { "Content-Type": "text/html; charset=utf-8" },
+  });
+
+  await t.test("ReDoS resistance (CVE-2025-68475)", async () => {
+    const start = performance.now();
+    // The malicious HTML will fail JSON parsing, but the important thing is
+    // that it should complete quickly (not hang due to ReDoS)
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redos"),
+      SyntaxError,
+    );
+    const elapsed = performance.now() - start;
+
+    // Should complete in under 1 second. With the vulnerable regex,
+    // this would take 14+ seconds for 30 repetitions.
+    ok(
+      elapsed < 1000,
+      `Potential ReDoS vulnerability detected: ${elapsed}ms (expected < 1000ms)`,
+    );
+  });
+
   fetchMock.hardReset();
 });
diff --git a/packages/vocab-runtime/src/docloader.ts b/packages/vocab-runtime/src/docloader.ts
@@ -191,37 +191,55 @@ export async function getRemoteDocument(
       contentType === "application/xhtml+xml" ||
       contentType?.startsWith("application/xhtml+xml;"))
   ) {
-    const p =
-      /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
-    const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig;
+    // Security: Limit HTML response size to mitigate ReDoS attacks
+    const MAX_HTML_SIZE = 1024 * 1024; // 1MB
     const html = await response.text();
-    let m: RegExpExecArray | null;
-    const rawAttribs: string[] = [];
-    while ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);
-    for (const rawAttrs of rawAttribs) {
-      let m2: RegExpExecArray | null;
-      const attribs: Record<string, string> = {};
-      while ((m2 = p2.exec(rawAttrs)) !== null) {
-        const key = m2[1].toLowerCase();
-        const value = m2[3] ?? m2[4] ?? m2[5] ?? "";
-        attribs[key] = value;
-      }
-      if (
-        attribs.rel === "alternate" && "type" in attribs && (
-          attribs.type === "application/activity+json" ||
-          attribs.type === "application/ld+json" ||
-          attribs.type.startsWith("application/ld+json;")
-        ) && "href" in attribs &&
-        new URL(attribs.href, docUrl).href !== docUrl.href
-      ) {
-        logger.debug(
-          "Found alternate document: {alternateUrl} from {url}",
-          { alternateUrl: attribs.href, url: documentUrl },
-        );
-        return await fetch(new URL(attribs.href, docUrl).href);
+    if (html.length > MAX_HTML_SIZE) {
+      logger.warn(
+        "HTML response too large, skipping alternate link discovery: {url}",
+        { url: documentUrl, size: html.length },
+      );
+      document = JSON.parse(html);
+    } else {
+      // Safe regex patterns without nested quantifiers to prevent ReDoS
+      // (CVE-2025-68475)
+      // Step 1: Extract <a ...> or <link ...> tags
+      const tagPattern = /<(a|link)\s+([^>]*?)\s*\/?>/gi;
+      // Step 2: Parse attributes
+      const attrPattern =
+        /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+
+      let tagMatch: RegExpExecArray | null;
+      while ((tagMatch = tagPattern.exec(html)) !== null) {
+        const tagContent = tagMatch[2];
+        let attrMatch: RegExpExecArray | null;
+        const attribs: Record<string, string> = {};
+
+        // Reset regex state for attribute parsing
+        attrPattern.lastIndex = 0;
+        while ((attrMatch = attrPattern.exec(tagContent)) !== null) {
+          const key = attrMatch[1].toLowerCase();
+          const value = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
+          attribs[key] = value;
+        }
+
+        if (
+          attribs.rel === "alternate" && "type" in attribs && (
+            attribs.type === "application/activity+json" ||
+            attribs.type === "application/ld+json" ||
+            attribs.type.startsWith("application/ld+json;")
+          ) && "href" in attribs &&
+          new URL(attribs.href, docUrl).href !== docUrl.href
+        ) {
+          logger.debug(
+            "Found alternate document: {alternateUrl} from {url}",
+            { alternateUrl: attribs.href, url: documentUrl },
+          );
+          return await fetch(new URL(attribs.href, docUrl).href);
+        }
       }
+      document = JSON.parse(html);
     }
-    document = JSON.parse(html);
   } else {
     document = await response.json();
   }
