Merge branch 'main' into to-canonical

2026-02-04 11:49:19 +01:00 · 2026-02-04 11:49:19 +01:00 · 555902adec
commit 555902adec
parent ec34fc9e99 11f95ff384
4 changed files with 105 additions and 31 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -313,9 +313,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 [[package]]
 name = "aws-lc-rs"
-version = "1.15.2"
+version = "1.15.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a88aab2464f1f25453baa7a07c84c5b7684e274054ba06817f382357f77a288"
+checksum = "7b7b6141e96a8c160799cc2d5adecd5cbbe5054cb8c7c4af53da0f83bb7ad256"
 dependencies = [
 "aws-lc-sys",
 "zeroize",
@ -323,9 +323,9 @@ dependencies = [
 [[package]]
 name = "aws-lc-sys"
-version = "0.35.0"
+version = "0.37.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b45afffdee1e7c9126814751f88dddc747f41d91da16c9551a0f1e8a11e788a1"
+checksum = "5c34dda4df7017c8db52132f0f8a2e0f8161649d15723ed63fc00c82d0f2081a"
 dependencies = [
 "cc",
 "cmake",
@ -557,6 +557,16 @@ dependencies = [
 "unicode-segmentation",
 ]
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
 dependencies = [
 "core-foundation-sys",
 "libc",
 ]
 [[package]]
 name = "core-foundation"
 version = "0.10.1"
@ -1017,6 +1027,25 @@ dependencies = [
 "wasm-bindgen",
 ]
 [[package]]
 name = "h2"
 version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
 dependencies = [
 "atomic-waker",
 "bytes",
 "fnv",
 "futures-core",
 "futures-sink",
 "http 1.4.0",
 "indexmap",
 "slab",
 "tokio",
 "tokio-util",
 "tracing",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.16.1"
@ -1139,6 +1168,7 @@ dependencies = [
 "bytes",
 "futures-channel",
 "futures-core",
 "h2",
 "http 1.4.0",
 "http-body",
 "httparse",
@ -1186,9 +1216,11 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "socket2 0.6.1",
 "system-configuration",
 "tokio",
 "tower-service",
 "tracing",
 "windows-registry",
 ]
 [[package]]
@ -1618,9 +1650,9 @@ checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 [[package]]
 name = "openssl-probe"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f50d9b3dabb09ecd771ad0aa242ca6894994c130308ca3d7684634df8037391"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 [[package]]
 name = "parking"
@ -1836,7 +1868,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
 "rand_chacha 0.9.0",
- "rand_core 0.9.3",
+ "rand_core 0.9.5",
 ]
 [[package]]
@ -1856,7 +1888,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
 dependencies = [
 "ppv-lite86",
- "rand_core 0.9.3",
+ "rand_core 0.9.5",
 ]
 [[package]]
@ -1870,9 +1902,9 @@ dependencies = [
 [[package]]
 name = "rand_core"
-version = "0.9.3"
+version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
 dependencies = [
 "getrandom 0.3.4",
 ]
@ -1929,8 +1961,10 @@ checksum = "04e9018c9d814e5f30cc16a0f03271aeab3571e609612d9fe78c1aa8d11c2f62"
 dependencies = [
 "base64",
 "bytes",
 "encoding_rs",
 "futures-core",
 "futures-util",
 "h2",
 "http 1.4.0",
 "http-body",
 "http-body-util",
@ -1939,6 +1973,7 @@ dependencies = [
 "hyper-util",
 "js-sys",
 "log",
 "mime",
 "percent-encoding",
 "pin-project-lite",
 "quinn",
@ -2052,9 +2087,9 @@ dependencies = [
 [[package]]
 name = "rustls-pki-types"
-version = "1.13.2"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282"
+checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
 dependencies = [
 "web-time",
 "zeroize",
@ -2066,7 +2101,7 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
 dependencies = [
- "core-foundation",
+ "core-foundation 0.10.1",
 "core-foundation-sys",
 "jni",
 "log",
@ -2089,9 +2124,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
 [[package]]
 name = "rustls-webpki"
-version = "0.103.8"
+version = "0.103.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
 dependencies = [
 "aws-lc-rs",
 "ring",
@ -2142,7 +2177,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
 "bitflags",
- "core-foundation",
+ "core-foundation 0.10.1",
 "core-foundation-sys",
 "libc",
 "security-framework-sys",
@ -2387,6 +2422,27 @@ dependencies = [
 "syn 2.0.114",
 ]
 [[package]]
 name = "system-configuration"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
 dependencies = [
 "bitflags",
 "core-foundation 0.9.4",
 "system-configuration-sys",
 ]
 [[package]]
 name = "system-configuration-sys"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
 dependencies = [
 "core-foundation-sys",
 "libc",
 ]
 [[package]]
 name = "tagptr"
 version = "0.2.0"
@ -2880,6 +2936,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 [[package]]
 name = "windows-registry"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
 dependencies = [
 "windows-link",
 "windows-result",
 "windows-strings",
 ]
 [[package]]
 name = "windows-result"
 version = "0.4.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -40,7 +40,6 @@ serde_json = { version = "1.0.149", features = ["preserve_order"] }
 reqwest = { version = "0.13.1", default-features = false, features = [
  "json",
  "stream",
  "rustls",
 ] }
 reqwest-middleware = "0.5.0"
 tracing = "0.1.44"
@ -95,6 +94,9 @@ axum = { version = "0.8.8", features = ["macros"] }
 axum-extra = { version = "0.12.5", features = ["typed-header"] }
 env_logger = "0.11.8"
 tokio = { version = "1.49.0", features = ["full"] }
 reqwest = { version = "0.13.1",features = [
  "rustls"
 ] }
 [profile.dev]
 strip = "symbols"
--- a/src/config.rs
+++ b/src/config.rs
@ -25,6 +25,7 @@ use async_trait::async_trait;
 use bytes::Bytes;
 use derive_builder::Builder;
 use dyn_clone::{clone_trait_object, DynClone};
 use itertools::Itertools;
 use moka::future::Cache;
 use regex::Regex;
 use reqwest::{redirect::Policy, Client, Request};
@ -189,24 +190,25 @@ impl<T: Clone> FederationConfig<T> {
            let mut ips = lookup_host((domain.to_owned(), 80))
                .await?
                .map(|s| s.ip().to_canonical());
-            let invalid_ip = ips.any(|ip| match ip {
+            let allow_local = std::env::var("DANGER_FEDERATION_ALLOW_LOCAL_IP").is_ok();
-                IpAddr::V4(addr) => {
+            let invalid_ip = !allow_local
-                    addr.is_private()
+                && ips.any(|ip| match ip {
-                        || addr.is_link_local()
+                    IpAddr::V4(addr) => {
-                        || addr.is_loopback()
+                        addr.is_private()
-                        || addr.is_multicast()
+                            || addr.is_link_local()
-                }
+                            || addr.is_loopback()
-                IpAddr::V6(addr) => {
+                            || addr.is_multicast()
-                    addr.is_loopback()
+                    }
                    IpAddr::V6(addr) => {
                        addr.is_loopback()
                        || addr.is_multicast()
                        || ((addr.segments()[0] & 0xfe00) == 0xfc00) // is_unique_local
                        || ((addr.segments()[0] & 0xffc0) == 0xfe80) // is_unicast_link_local
-                }
+                    }
-            });
+                });
            if invalid_ip {
-                return Err(Error::UrlVerificationError(
+                let ip_addrs = ips.join(", ");
-                    "Localhost is only allowed in debug mode",
+                return Err(Error::DomainResolveError(domain.to_string(), ip_addrs));
                ));
            }
        }
--- a/src/error.rs
+++ b/src/error.rs
@ -28,6 +28,9 @@ pub enum Error {
    /// url verification error
    #[error("URL failed verification: {0}")]
    UrlVerificationError(&'static str),
    /// Resolving domain points to local IP.
    #[error("Resolving domain {0} points to local IP {1}. This may indicate an attacker attempting to access internal services. If intentional, you can ignore this error by setting DANGER_FEDERATION_ALLOW_LOCAL_IP=1")]
    DomainResolveError(String, String),
    /// Incoming activity has invalid digest for body
    #[error("Incoming activity has invalid digest for body")]
    ActivityBodyDigestInvalid,