GHSA-8XQ3-W9FX-74RV webfinger.js Blind SSRF Vulnerability

Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library does not prevent Localhost access (neither does it prevent LAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub applications. The only check for localhost is done for selecting between HTTP and HTTPS protocols, and it is done by testing for a host that starts with the string “localhost” and ends with a port. Anything else (such as “127.0.0.1” or “localhost:1234/abc”) would not be considered localhost for this test. In addition, the way that the function determines the host, makes it possible to access any path in the host, not only “/.well-known/…” paths: “`javascript if (address.indexOf('://') > -1) { // other uri format host = address.replace(/ /g,'').split('/')[2]; } else { // useraddress host = address.replace(/ /g,'').split('@')[1]; } var uri_index = 0; // track which URIS we've tried already var protocol = 'https'; // we use https by default if (self.__isLocalhost(host)) { protocol = 'http'; } function __buildURL() { var uri = ''; if (! address.split('://')[1]) { // the URI has not been defined, default to acct uri = 'acct:'; } return protocol + '://' + host + '/.well-known/'…Read More