Merge commit from fork

Mitigate redirect-based resource exhaustion in remote key resolution

Author: dahlia

CHANGES.md

@@ -8,6 +8,22 @@ Version 1.9.6
 
 To be released.
 
+### @fedify/fedify
+
+ -  Limited the number of HTTP redirects followed by the remote document
+    loaders and signed HTTP fetches to mitigate resource exhaustion during
+    remote key and document resolution.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Stopped the remote document loaders and signed HTTP fetches from
+    revisiting the same URL within a redirect chain, preventing
+    self-referential redirect loops.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+ -  Persisted negative public key cache entries for failed remote key
+    fetches, reducing repeated retries against the same unavailable key
+    across requests.  [[CVE-2026-34148] by Abhinav Jaswal]
+
+[CVE-2026-34148]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp
+
 
 Version 1.9.5
 -------------

packages/fedify/src/federation/keycache.test.ts

@@ -38,6 +38,10 @@ test("KvKeyCache.set()", async () => {
 
   await cache.set(new URL("https://example.com/null"), null);
   assert(cache.nullKeys.has("https://example.com/null"));
+  assertEquals(
+    await kv.get(["pk", "https://example.com/null"]),
+    { _fedify: "key-unavailable" },
+  );
 });
 
 test("KvKeyCache.get()", async () => {
@@ -64,4 +68,11 @@ test("KvKeyCache.get()", async () => {
 
   cache.nullKeys.add("https://example.com/null");
   assertEquals(await cache.get(new URL("https://example.com/null")), null);
+
+  await kv.set(
+    ["pk", "https://example.com/null2"],
+    { _fedify: "key-unavailable" },
+  );
+  const cache2 = new KvKeyCache(kv, ["pk"]);
+  assertEquals(await cache2.get(new URL("https://example.com/null2")), null);
 });

packages/fedify/src/federation/keycache.ts

@@ -3,11 +3,22 @@ import type { KeyCache } from "../sig/key.ts";
 import { CryptographicKey, Multikey } from "../vocab/vocab.ts";
 import type { KvKey, KvStore } from "./kv.ts";
 
+const NULL_KEY_CACHE_VALUE = { _fedify: "key-unavailable" };
+const NULL_KEY_CACHE_TTL = Temporal.Duration.from({ minutes: 5 });
+
 export interface KvKeyCacheOptions {
   documentLoader?: DocumentLoader;
   contextLoader?: DocumentLoader;
 }
 
+function isNullKeyCacheValue(
+  value: unknown,
+): value is typeof NULL_KEY_CACHE_VALUE {
+  return typeof value === "object" && value != null &&
+    "_fedify" in value &&
+    value._fedify === NULL_KEY_CACHE_VALUE._fedify;
+}
+
 export class KvKeyCache implements KeyCache {
   readonly kv: KvStore;
   readonly prefix: KvKey;
@@ -27,6 +38,10 @@ export class KvKeyCache implements KeyCache {
     if (this.nullKeys.has(keyId.href)) return null;
     const serialized = await this.kv.get([...this.prefix, keyId.href]);
     if (serialized == null) return undefined;
+    if (isNullKeyCacheValue(serialized)) {
+      this.nullKeys.add(keyId.href);
+      return null;
+    }
     try {
       return await CryptographicKey.fromJsonLd(serialized, this.options);
     } catch {
@@ -45,7 +60,11 @@ export class KvKeyCache implements KeyCache {
   ): Promise<void> {
     if (key == null) {
       this.nullKeys.add(keyId.href);
-      await this.kv.delete([...this.prefix, keyId.href]);
+      await this.kv.set(
+        [...this.prefix, keyId.href],
+        NULL_KEY_CACHE_VALUE,
+        { ttl: NULL_KEY_CACHE_TTL },
+      );
       return;
     }
     this.nullKeys.delete(keyId.href);

packages/fedify/src/runtime/docloader.test.ts

@@ -365,6 +365,73 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  let redirectAttempts = 0;
+  fetchMock.get("begin:https://example.com/too-many-redirects/", (cl) => {
+    redirectAttempts++;
+    const index = Number(cl.url.split("/").at(-1));
+    return {
+      status: 302,
+      headers: {
+        Location: `https://example.com/too-many-redirects/${index + 1}`,
+      },
+    };
+  });
+
+  await t.step("too many redirects", async () => {
+    redirectAttempts = 0;
+    await assertRejects(
+      () => fetchDocumentLoader("https://example.com/too-many-redirects/0"),
+      FetchError,
+      "Too many redirections",
+    );
+    assertEquals(redirectAttempts, 21);
+  });
+
+  let loopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-a", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-b" },
+    };
+  });
+  fetchMock.get("https://example.com/redirect-loop-b", () => {
+    loopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "https://example.com/redirect-loop-a" },
+    };
+  });
+
+  await t.step("redirect loop", async () => {
+    loopAttempts = 0;
+    await assertRejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-a"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    assertEquals(loopAttempts, 2);
+  });
+
+  let relativeLoopAttempts = 0;
+  fetchMock.get("https://example.com/redirect-loop-relative", () => {
+    relativeLoopAttempts++;
+    return {
+      status: 302,
+      headers: { Location: "/redirect-loop-relative" },
+    };
+  });
+
+  await t.step("redirect loop with relative location", async () => {
+    relativeLoopAttempts = 0;
+    await assertRejects(
+      () => fetchDocumentLoader("https://example.com/redirect-loop-relative"),
+      FetchError,
+      "Redirect loop detected",
+    );
+    assertEquals(relativeLoopAttempts, 1);
+  });
+
   // Regression test for ReDoS vulnerability (CVE-2025-68475)
   // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
   // With the vulnerable regex, this causes catastrophic backtracking

packages/fedify/src/runtime/docloader.ts

@@ -7,6 +7,7 @@ import { HttpHeaderLink } from "./link.ts";
 import { UrlError, validatePublicUrl } from "./url.ts";
 
 const logger = getLogger(["fedify", "runtime", "docloader"]);
+const DEFAULT_MAX_REDIRECTION = 20;
 
 /**
  * A remote JSON-LD document and its context fetched by
@@ -352,27 +353,34 @@ export function getDocumentLoader(
   async function load(
     url: string,
     options?: DocumentLoaderOptions,
+    redirected = 0,
+    visited = new Set<string>(),
   ): Promise<RemoteDocument> {
     options?.signal?.throwIfAborted();
-    if (!skipPreloadedContexts && url in preloadedContexts) {
-      logger.debug("Using preloaded context: {url}.", { url });
+    const currentUrl = new URL(url).href;
+    if (!skipPreloadedContexts && currentUrl in preloadedContexts) {
+      logger.debug("Using preloaded context: {url}.", { url: currentUrl });
       return {
         contextUrl: null,
-        document: preloadedContexts[url],
-        documentUrl: url,
+        document: preloadedContexts[currentUrl],
+        documentUrl: currentUrl,
       };
     }
     if (!allowPrivateAddress) {
       try {
-        await validatePublicUrl(url);
+        await validatePublicUrl(currentUrl);
       } catch (error) {
         if (error instanceof UrlError) {
-          logger.error("Disallowed private URL: {url}", { url, error });
+          logger.error("Disallowed private URL: {url}", {
+            url: currentUrl,
+            error,
+          });
         }
         throw error;
       }
     }
-    const request = createRequest(url, { userAgent });
+    visited.add(currentUrl);
+    const request = createRequest(currentUrl, { userAgent });
     logRequest(request);
     const response = await fetch(request, {
       // Since Bun has a bug that ignores the `Request.redirect` option,
@@ -386,9 +394,34 @@ export function getDocumentLoader(
       response.status >= 300 && response.status < 400 &&
       response.headers.has("Location")
     ) {
-      return load(response.headers.get("Location")!, options);
+      if (redirected >= DEFAULT_MAX_REDIRECTION) {
+        logger.error(
+          "Too many redirections ({redirections}) while fetching document.",
+          { redirections: redirected + 1, url: currentUrl },
+        );
+        throw new FetchError(
+          currentUrl,
+          `Too many redirections (${redirected + 1})`,
+        );
+      }
+      const redirectUrl = new URL(
+        response.headers.get("Location")!,
+        response.url === "" ? currentUrl : response.url,
+      ).href;
+      if (visited.has(redirectUrl)) {
+        logger.error(
+          "Detected a redirect loop while fetching document: {url} -> " +
+            "{redirectUrl}",
+          { url: currentUrl, redirectUrl },
+        );
+        throw new FetchError(
+          currentUrl,
+          `Redirect loop detected: ${redirectUrl}`,
+        );
+      }
+      return load(redirectUrl, options, redirected + 1, visited);
     }
-    return getRemoteDocument(url, response, load);
+    return getRemoteDocument(currentUrl, response, load);
   }
   return load;
 }

packages/fedify/src/sig/http.test.ts

@@ -1650,6 +1650,82 @@ test("doubleKnock() complex redirect chain test", async () => {
   fetchMock.hardReset();
 });
 
+test("doubleKnock() throws on too many redirects", async () => {
+  fetchMock.spyGlobal();
+
+  let requestCount = 0;
+  fetchMock.post("begin:https://example.com/too-many-redirects/", (cl) => {
+    requestCount++;
+    const index = Number(cl.url.split("/").at(-1));
+    return Response.redirect(
+      `https://example.com/too-many-redirects/${index + 1}`,
+      302,
+    );
+  });
+
+  const request = new Request("https://example.com/too-many-redirects/0", {
+    method: "POST",
+    body: "Redirect loop",
+    headers: {
+      "Content-Type": "text/plain",
+    },
+  });
+
+  await assertRejects(
+    () =>
+      doubleKnock(
+        request,
+        {
+          keyId: rsaPublicKey2.id!,
+          privateKey: rsaPrivateKey2,
+        },
+      ),
+    Error,
+    "Too many redirections",
+  );
+  assertEquals(requestCount, 21);
+
+  fetchMock.hardReset();
+});
+
+test("doubleKnock() detects redirect loops", async () => {
+  fetchMock.spyGlobal();
+
+  let requestCount = 0;
+  fetchMock.post("https://example.com/redirect-loop-a", () => {
+    requestCount++;
+    return Response.redirect("https://example.com/redirect-loop-b", 302);
+  });
+  fetchMock.post("https://example.com/redirect-loop-b", () => {
+    requestCount++;
+    return Response.redirect("https://example.com/redirect-loop-a", 302);
+  });
+
+  const request = new Request("https://example.com/redirect-loop-a", {
+    method: "POST",
+    body: "Redirect loop",
+    headers: {
+      "Content-Type": "text/plain",
+    },
+  });
+
+  await assertRejects(
+    () =>
+      doubleKnock(
+        request,
+        {
+          keyId: rsaPublicKey2.id!,
+          privateKey: rsaPrivateKey2,
+        },
+      ),
+    Error,
+    "Redirect loop detected",
+  );
+  assertEquals(requestCount, 2);
+
+  fetchMock.hardReset();
+});
+
 test("doubleKnock() async specDeterminer test", async () => {
   // Install mock fetch handler
   fetchMock.spyGlobal();