Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com
may be sent to notexample.com
.
authtokens.rs uses a simple endswith check, which matches www.deno.land
to a deno.land
token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land
to deno.land
tokens.
denovulnpoc.example.com
.DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain
. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
What kind of vulnerability is it? Who is impacted? Anyone who uses DENOAUTHTOKENS and imports potentially untrusted code is affected.