Deno's fetch implementation is insecure by default (fetch("file:///app/.env")
)
#20166
alexgleason
started this conversation in
General
Replies: 1 comment 2 replies
-
I researched this problem a lot, and it turns out to be not entirely true. There is such as thing as DNS rebinding protection that can prevent this. If you have DNS rebinding protection, then filtering the hostname is enough. This is at least a problem a sysadmin can solve, unlike accessing file URIs. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This is a follow-up to the comments starting here: #11925 (comment)
The key point is that
fetch
allows accessing file URIs by default, egfetch("file:///app/.env")
This is a major problem, because:
fetch
from untrusted input.fetch
is an HTTP client. There is no expectation that it should handle anything except network traffic.In the meantime, I created the deno-safe-fetch module to mitigate some of these issues.
The Deno security model doesn't fix this
I need to
--allow-read=.env
in order for Deno to read my secrets from a file so my application will work. This problem impacts secret files which I HAVE authorized Deno to read.As a developer, I would NOT pass untrusted input to
Deno.readFile
. The whole point of usingDeno.readFile
is that it's a separate interface for accessing the filesystem.Responding to arguments
Just because people on GitHub say they want this, does not mean they have thought it through or that it's a good idea.
Saying "this is more vulnerable than you thought" is not an excuse for it to be vulnerable. That makes it even worse.
Apparently so. Me and how many others? When it's easy to misunderstand how something should be used, that strikes me as a problem. Especially since users have no expectation that
fetch
should do anything except make network calls.Just because you can do something, doesn't mean you should. It is not a good idea to do this on a webserver at all, which is the main way that Deno is used.
Oof. So DNS resolution has to happen to fix accessing internal IPs. At least this is within the realm of problems a security engineer would normally expect. Nobody expects that
fetch
would access files.Yes, exactly. Security is built in layers. There are layers of insecurity on
fetch
right now.@lucacasonato
Beta Was this translation helpful? Give feedback.
All reactions