Headline
GHSA-5frw-4rwq-xhcr: Deno's improper suffix match testing for DENO_AUTH_TOKENS
Summary
Deno improperly checks that an import specifier’s hostname is equal to or a child of a token’s hostname, which can cause tokens to be sent to servers they shouldn’t be sent to. An auth token intended for example.com may be sent to notexample.com.
Details
auth_tokens.rs uses a simple ends_with check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.
PoC
- Set up a server that logs requests. RequestBin will do. For example,
denovulnpoc.example.com. - Run
[email protected] deno run https://not-a-left-truncated.domain. For example,[email protected] deno run https://denovulnpoc.example.com - Observe that the token intended only for the truncated domain is sent to the full domain
Impact
What kind of vulnerability is it? Who is impacted? Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.
Summary
Deno improperly checks that an import specifier’s hostname is equal to or a child of a token’s hostname, which can cause tokens to be sent to servers they shouldn’t be sent to. An auth token intended for example.com may be sent to notexample.com.
Details
auth_tokens.rs uses a simple ends_with check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.
PoC
- Set up a server that logs requests. RequestBin will do. For example, denovulnpoc.example.com.
- Run [email protected] deno run https://not-a-left-truncated.domain. For example, [email protected] deno run https://denovulnpoc.example.com
- Observe that the token intended only for the truncated domain is sent to the full domain
Impact
What kind of vulnerability is it? Who is impacted?
Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.
References
- GHSA-5frw-4rwq-xhcr
- denoland/deno@de23e3b