Deno should block access to local network unless explicitly permitted

[teleclimber]

Connecting to a local private IP without the user realizing it is quite straightforward in Deno: simply prompt the user for permission to a public domain that looks innocuous but that the attacker controls, and who has set the DNS records of that domain to point to the desired IP.

This isn't great for the attacker because they must know the IP beforehand. However there are some well known internal IPs that can serve juicy data for an attacker, like 169.254.169.254 (see here). So just for that reason it should not be so easy to do that in Deno.

However, what happens when wildcard subdomains #6532 or URLPatterns #17378 are usable in --allow-net?

Combine these with a cute DNS server controlled by the attacker that returns any desired IP for the A record, and the attacker can probe the entire network. Consider how this Plex DNS server works:

$ dig 10-10-10-10.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.plex.direct +short
10.10.10.10

source: https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/

There are a number of factors combining to make a rather dangerous cocktail:

• wildcards in --allow-net (not implemented but indications are a PR would be merged)
• if you don't specify a port in --allow-net, Deno assumes you mean "any port you want". That's great for probing. the network!
• Deno doesn't check the resolved IP to see if it's a reserved or private IP.

I think the user should be prompted again, or should explicitly allow access to an internal IP if a permitted public domain resolves to a private IP.

Furthermore, I think not specifying a port should imply it's 80 or 443. If you want something else, specify it. If you really want to allow any port it should be possible too, but has to be made explicit.

Thanks!

✌️