|
| 1 | +# Security |
| 2 | + |
| 3 | +webfinger.js prioritizes security and includes comprehensive protection against common attack vectors that can affect WebFinger implementations. |
| 4 | + |
| 5 | +## SSRF Protection |
| 6 | + |
| 7 | +This library includes robust protection against Server-Side Request Forgery (SSRF) attacks by default: |
| 8 | + |
| 9 | +- **Private address blocking**: Prevents requests to localhost, private IP ranges, and internal networks |
| 10 | +- **DNS resolution protection**: Resolves domain names in Node.js environments to block domains that resolve to private IPs |
| 11 | +- **Path injection prevention**: Validates host formats to prevent directory traversal attacks |
| 12 | +- **Redirect validation**: Prevents redirect-based SSRF attacks to private networks |
| 13 | +- **ActivityPub compliance**: Follows [ActivityPub security guidelines](https://www.w3.org/TR/activitypub/#security-considerations) (Section B.3) |
| 14 | + |
| 15 | +### Blocked Addresses |
| 16 | + |
| 17 | +The following address ranges are blocked by default to prevent SSRF attacks: |
| 18 | + |
| 19 | +#### Localhost |
| 20 | +- `localhost`, `localhost.localdomain` |
| 21 | +- `127.x.x.x` (IPv4 loopback) |
| 22 | +- `::1` (IPv6 loopback) |
| 23 | + |
| 24 | +#### Private IPv4 Ranges |
| 25 | +- `10.x.x.x` (Class A private) |
| 26 | +- `172.16.x.x` - `172.31.x.x` (Class B private) |
| 27 | +- `192.168.x.x` (Class C private) |
| 28 | + |
| 29 | +#### Link-Local Addresses |
| 30 | +- `169.254.x.x` (IPv4 link-local) |
| 31 | +- `fe80::/10` (IPv6 link-local) |
| 32 | + |
| 33 | +#### Multicast Addresses |
| 34 | +- `224.x.x.x` - `239.x.x.x` (IPv4 multicast) |
| 35 | +- `ff00::/8` (IPv6 multicast) |
| 36 | + |
| 37 | +### DNS Resolution Protection |
| 38 | + |
| 39 | +In Node.js environments, the library performs DNS resolution to prevent attacks using domains that resolve to private IP addresses: |
| 40 | + |
| 41 | +- **Domain resolution**: All domain names are resolved to IP addresses before making requests |
| 42 | +- **Private IP detection**: Resolved IPs are checked against the private address blacklist |
| 43 | +- **Attack prevention**: Blocks requests to public domains like `localtest.me` that resolve to `127.0.0.1` |
| 44 | +- **Browser compatibility**: DNS resolution is skipped in browser environments where it's not available |
| 45 | + |
| 46 | +**Example blocked domains:** |
| 47 | +- `localtest.me` → `127.0.0.1` (blocked) |
| 48 | +- `10.0.0.1.nip.io` → `10.0.0.1` (blocked) |
| 49 | +- Custom domains configured to resolve to private networks |
| 50 | + |
| 51 | +**Note**: This protection only applies in Node.js environments. Browser environments rely on the browser's built-in protections against private network access. |
| 52 | + |
| 53 | +### Redirect Protection |
| 54 | + |
| 55 | +The library implements manual redirect handling to validate redirect destinations: |
| 56 | + |
| 57 | +- **Redirect limits**: Maximum of 3 redirects to prevent redirect loops |
| 58 | +- **Destination validation**: All redirect targets are checked against the private address blacklist |
| 59 | +- **Malformed response handling**: Invalid or missing Location headers are rejected |
| 60 | +- **URL validation**: Redirect URLs are parsed and validated before following |
| 61 | + |
| 62 | +This prevents attacks where a public domain's WebFinger endpoint redirects to private network resources. |
| 63 | + |
| 64 | +## Development Override |
| 65 | + |
| 66 | +⚠️ **CAUTION**: The following configuration should **ONLY** be used in development or testing environments! |
| 67 | + |
| 68 | +```typescript |
| 69 | +const webfinger = new WebFinger({ |
| 70 | + allow_private_addresses: true // Disables SSRF protection - DANGEROUS in production! |
| 71 | +}); |
| 72 | + |
| 73 | +// This will now work (but should never be used in production) |
| 74 | +await webfinger.lookup('user@localhost:3000'); |
| 75 | +``` |
| 76 | + |
| 77 | +### When to Use Development Override |
| 78 | + |
| 79 | +- **Local development**: Testing against localhost services |
| 80 | +- **Internal testing**: Validating against private network services |
| 81 | +- **Unit testing**: Creating controlled test environments |
| 82 | + |
| 83 | +### Production Security |
| 84 | + |
| 85 | +**Never** set `allow_private_addresses: true` in production environments. This completely disables SSRF protection and opens your application to serious security vulnerabilities. |
| 86 | + |
| 87 | +## Security Best Practices |
| 88 | + |
| 89 | +When integrating webfinger.js into your application: |
| 90 | + |
| 91 | +1. **Keep defaults**: Use the default secure configuration in production |
| 92 | +2. **Validate inputs**: Always validate user-provided addresses before lookup |
| 93 | +3. **Handle errors gracefully**: Don't expose internal network details in error messages |
| 94 | +4. **Monitor requests**: Log WebFinger lookups for security monitoring |
| 95 | +5. **Update regularly**: Keep the library updated to receive security patches |
| 96 | + |
| 97 | +## Reporting Security Issues |
| 98 | + |
| 99 | +If you discover a security vulnerability in webfinger.js, please report it responsibly: |
| 100 | + |
| 101 | +1. **Do not** create a public GitHub issue |
| 102 | +2. Email security concerns to the maintainer |
| 103 | +3. Include detailed reproduction steps |
| 104 | +4. Allow reasonable time for fixes before public disclosure |
| 105 | + |
| 106 | +## Compliance |
| 107 | + |
| 108 | +This library's security implementation follows: |
| 109 | + |
| 110 | +- [ActivityPub Security Considerations](https://www.w3.org/TR/activitypub/#security-considerations) (Section B.3) |
| 111 | +- [RFC 7033 WebFinger](https://tools.ietf.org/html/rfc7033) security guidelines |
| 112 | +- Common SSRF prevention best practices |
| 113 | + |
| 114 | +The security model is designed to be safe by default while providing necessary flexibility for legitimate use cases. |
0 commit comments