Merge tag '1.10.9' into 2.0-maintenance

Fedify 1.10.9

Author: dahlia

CHANGES.md

@@ -8,6 +8,12 @@ Version 2.0.16
 
 To be released.
 
+### @fedify/vocab-runtime
+
+ -  Fixed `validatePublicUrl()` allowing private IPv4 addresses encoded as
+    IPv4-mapped IPv6 URL literals, such as `http://[::ffff:7f00:1]/`, which
+    could bypass private network protections in remote document loading.
+
 
 Version 2.0.15
 --------------
@@ -908,6 +914,18 @@ Released on February 22, 2026.
 [#351]: https://github.com/fedify-dev/fedify/issues/351
 
 
+Version 1.10.9
+--------------
+
+Released on May 10, 2026.
+
+### @fedify/fedify
+
+ -  Fixed `validatePublicUrl()` allowing private IPv4 addresses encoded as
+    IPv4-mapped IPv6 URL literals, such as `http://[::ffff:7f00:1]/`, which
+    could bypass private network protections in remote document loading.
+
+
 Version 1.10.8
 --------------
 
@@ -1131,6 +1149,18 @@ Released on December 24, 2025.
  -  Implemented `list()` method in `WorkersKvStore`.  [[#498], [#500]]
 
 
+Version 1.9.10
+--------------
+
+Released on May 10, 2026.
+
+### @fedify/fedify
+
+ -  Fixed `validatePublicUrl()` allowing private IPv4 addresses encoded as
+    IPv4-mapped IPv6 URL literals, such as `http://[::ffff:7f00:1]/`, which
+    could bypass private network protections in remote document loading.
+
+
 Version 1.9.9
 -------------
 

packages/redis/src/kv.test.ts

@@ -7,50 +7,83 @@ import process from "node:process";
 const redisUrl = process.env.REDIS_URL;
 const ignore = redisUrl == null;
 
-function getRedis(): { redis: Redis; keyPrefix: string; store: RedisKvStore } {
+async function cleanupPrefixedKeys(
+  redis: Redis,
+  keyPrefix: string,
+): Promise<void> {
+  let cursor = "0";
+  do {
+    const [nextCursor, keys] = await redis.scan(
+      cursor,
+      "MATCH",
+      `${keyPrefix}*`,
+      "COUNT",
+      "100",
+    );
+    cursor = nextCursor;
+    if (keys.length > 0) {
+      await redis.del(...keys);
+    }
+  } while (cursor !== "0");
+}
+
+function getRedis(): {
+  redis: Redis;
+  keyPrefix: string;
+  store: RedisKvStore;
+  cleanup: () => Promise<void>;
+} {
   const redis = new Redis(redisUrl!);
   const keyPrefix = `fedify_test_${crypto.randomUUID()}::`;
   const store = new RedisKvStore(redis, { keyPrefix });
-  return { redis, keyPrefix, store };
+  return {
+    redis,
+    keyPrefix,
+    store,
+    cleanup: () => cleanupPrefixedKeys(redis, keyPrefix),
+  };
 }
 
 test("RedisKvStore.get()", { ignore }, async () => {
   if (ignore) return; // see https://github.com/oven-sh/bun/issues/19412
-  const { redis, keyPrefix, store } = getRedis();
+  const { redis, keyPrefix, store, cleanup } = getRedis();
   try {
     await redis.set(`${keyPrefix}foo::bar`, '"foobar"');
     assert.strictEqual(await store.get(["foo", "bar"]), "foobar");
   } finally {
+    await cleanup();
     redis.disconnect();
   }
 });
 
 test("RedisKvStore.set()", { ignore }, async () => {
   if (ignore) return; // see https://github.com/oven-sh/bun/issues/19412
-  const { redis, keyPrefix, store } = getRedis();
+  const { redis, keyPrefix, store, cleanup } = getRedis();
   try {
     await store.set(["foo", "baz"], "baz");
     assert.strictEqual(await redis.get(`${keyPrefix}foo::baz`), '"baz"');
   } finally {
+    await cleanup();
     redis.disconnect();
   }
 });
 
 test("RedisKvStore.delete()", { ignore }, async () => {
   if (ignore) return; // see https://github.com/oven-sh/bun/issues/19412
-  const { redis, keyPrefix, store } = getRedis();
+  const { redis, keyPrefix, store, cleanup } = getRedis();
   try {
     await redis.set(`${keyPrefix}foo::baz`, '"baz"');
     await store.delete(["foo", "baz"]);
     assert.equal(await redis.exists(`${keyPrefix}foo::baz`), 0);
   } finally {
+    await cleanup();
     redis.disconnect();
   }
 });
 
 test("RedisKvStore.list()", { ignore }, async () => {
   if (ignore) return; // see https://github.com/oven-sh/bun/issues/19412
-  const { redis, store } = getRedis();
+  const { redis, store, cleanup } = getRedis();
   try {
     await store.set(["prefix", "a"], "value-a");
     await store.set(["prefix", "b"], "value-b");
@@ -67,14 +100,14 @@ test("RedisKvStore.list()", { ignore }, async () => {
     assert(entries.some((e) => e.key[1] === "b"));
     assert(entries.some((e) => e.key[1] === "nested"));
   } finally {
-    await redis.flushdb();
+    await cleanup();
     redis.disconnect();
   }
 });
 
 test("RedisKvStore.list() - single element key", { ignore }, async () => {
   if (ignore) return; // see https://github.com/oven-sh/bun/issues/19412
-  const { redis, store } = getRedis();
+  const { redis, store, cleanup } = getRedis();
   try {
     await store.set(["a"], "value-a");
     await store.set(["b"], "value-b");
@@ -87,14 +120,14 @@ test("RedisKvStore.list() - single element key", { ignore }, async () => {
     assert.strictEqual(entries.length, 1);
     assert.strictEqual(entries[0].value, "value-a");
   } finally {
-    await redis.flushdb();
+    await cleanup();
     redis.disconnect();
   }
 });
 
 test("RedisKvStore.list() - empty prefix", { ignore }, async () => {
   if (ignore) return; // see https://github.com/oven-sh/bun/issues/19412
-  const { redis, store } = getRedis();
+  const { redis, store, cleanup } = getRedis();
   try {
     await store.set(["a"], "value-a");
     await store.set(["b", "c"], "value-bc");
@@ -107,7 +140,7 @@ test("RedisKvStore.list() - empty prefix", { ignore }, async () => {
 
     assert.strictEqual(entries.length, 3);
   } finally {
-    await redis.flushdb();
+    await cleanup();
     redis.disconnect();
   }
 });

packages/vocab-runtime/src/url.test.ts

@@ -19,6 +19,11 @@ test("validatePublicUrl()", async () => {
   await rejects(() => validatePublicUrl("https://localhost"), UrlError);
   await rejects(() => validatePublicUrl("https://127.0.0.1"), UrlError);
   await rejects(() => validatePublicUrl("https://[::1]"), UrlError);
+  await rejects(
+    () => validatePublicUrl("http://[::ffff:7f00:1]/"),
+    UrlError,
+  );
+  await validatePublicUrl("https://[2001:db8::1]");
 });
 
 test("isValidPublicIPv4Address()", () => {
@@ -37,6 +42,7 @@ test("isValidPublicIPv6Address()", () => {
   ok(!isValidPublicIPv6Address("fe80::1")); // link-local
   ok(!isValidPublicIPv6Address("ff00::1")); // multicast
   ok(!isValidPublicIPv6Address("::")); // unspecified
+  ok(!isValidPublicIPv6Address("::ffff:7f00:1")); // IPv4-mapped
 });
 
 test("expandIPv6Address()", () => {

packages/vocab-runtime/src/url.ts

@@ -19,11 +19,16 @@ export async function validatePublicUrl(url: string): Promise<void> {
   }
   let hostname = parsed.hostname;
   if (hostname.startsWith("[") && hostname.endsWith("]")) {
-    hostname = hostname.substring(1, hostname.length - 2);
+    hostname = hostname.slice(1, -1);
   }
   if (hostname === "localhost") {
     throw new UrlError("Localhost is not allowed");
   }
+  const hostnameFamily = isIP(hostname);
+  if (hostnameFamily !== 0) {
+    validatePublicIpAddress(hostname, hostnameFamily);
+    return;
+  }
   if ("Deno" in globalThis && !isIP(hostname)) {
     // If the `net` permission is not granted, we can't resolve the hostname.
     // However, we can safely assume that it cannot gain access to private
@@ -50,14 +55,18 @@ export async function validatePublicUrl(url: string): Promise<void> {
     addresses = [];
   }
   for (const { address, family } of addresses) {
-    if (
-      family === 4 && !isValidPublicIPv4Address(address) ||
-      family === 6 && !isValidPublicIPv6Address(address) ||
-      family < 4 || family === 5 || family > 6
-    ) {
-      throw new UrlError(`Invalid or private address: ${address}`);
-    }
+    validatePublicIpAddress(address, family);
+  }
+}
+
+function validatePublicIpAddress(address: string, family: number): void {
+  if (
+    family === 4 && isValidPublicIPv4Address(address) ||
+    family === 6 && isValidPublicIPv6Address(address)
+  ) {
+    return;
   }
+  throw new UrlError(`Invalid or private address: ${address}`);
 }
 
 export function isValidPublicIPv4Address(address: string): boolean {