(no title)
bugtodiffer | 7 months ago
E.g. --allow-net --deny-net=1.1.1.1
You cannot fetch "http://1.1.1.1" but any domain that resolves to 1.1.1.1 is a bypass...
It's crap security
bugtodiffer | 7 months ago
E.g. --allow-net --deny-net=1.1.1.1
You cannot fetch "http://1.1.1.1" but any domain that resolves to 1.1.1.1 is a bypass...
It's crap security
whizzter|7 months ago
If the deno runtime implements the fetch module itself, then post-resolution checking definitely should be done though. It's more of an bug though than a principled security lapse.
bugtodiffer|7 months ago
oblio|7 months ago
That's a bit of a silly model.
throwitaway1123|7 months ago
No, you can allow access to specific domains, IP addresses, filesystem paths, environment variables, etc, while denying everything else by default. You can for instance allow access to only a specific IP (e.g. `deno run --allow-net='127.0.0.1' main.ts`), while implicitly blocking every other IP.
What the commenter is complaining about is the fact that Deno doesn't check which IP address a domain name actually resolves to using DNS resolution. So if you explicitly deny '1.1.1.1', and the script you're running fetches from a domain with an A record pointing to '1.1.1.1', Deno will allow it.
In practice, I usually use allow lists rather than deny lists, because I very rarely have an exhaustive list on hand of every IP address or domain I'm expecting a rogue script to attempt to access.
jeltz|7 months ago