Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow wildcards in --allow-net allow lists. #6532

Open
erisanolasheni opened this issue Jun 27, 2020 · 9 comments
Open

Allow wildcards in --allow-net allow lists. #6532

erisanolasheni opened this issue Jun 27, 2020 · 9 comments
Labels
cli related to cli/ dir suggestion suggestions for new features (yet to be agreed)

Comments

@erisanolasheni
Copy link

erisanolasheni commented Jun 27, 2020
edited
Loading

It will be good to allow wildcards in the --allow-net allow lists.

For example, this code throws errors:

//Import the server module
await fetch('https://facebook.com')

deno run --allow-net=facebook.com server.js

Because https://facebook.com redirects to https://www.facebook.com

This should be possible to run it;
deno run --allow-net=*.facebook.com server.js

Port based wildcards might also be good. For example
https only
deno run --allow-net=https://* server.js
or
deno run --allow-net=*/**:443 server.js
@Spoonbender
Copy link
Contributor

Just to clarify a nuance here:
IMO --allow-net=https://* server.js should not be equivalent to --allow-net=*/**:443 server.js:
The first one is scheme based (protocol-based), and should allow me to access everything using HTTPS, even if the server-side port is not 443 (i.e. https://somewhere.com:1234 should work).
The second one is port-based, and should allow me to access everything on port 443, even via non-HTTPS protocols such as HTTP, AMQP, MQTT etc. (i.e. amqp://somwhere:443 should work).

@erisanolasheni
Copy link
Author

Yes you are right.

@Spoonbender Spoonbender mentioned this issue Aug 16, 2020
Closed
@bartlomieju bartlomieju added cli related to cli/ dir suggestion suggestions for new features (yet to be agreed) labels Nov 18, 2020
@mbrevoort
Copy link

This especially! --allow-net=*.slack.com 🙏

@Grunet
Copy link

Grunet commented Apr 15, 2022

Ran into this just now with the aws sdk.

Was wanting to limit to something like cloudformation.*.amazonaws.com, where the wildcard would match the region

@erisanolasheni
Copy link
Author

Hi @ry this issue has been open for 2 years and we haven't heard any positive response about it, anything going on with this?

@bartlomieju
Copy link
Member

There is no movement on this front whatsoever. I will raise this topic on the next design meeting.

@erisanolasheni
Copy link
Author

Okay, thanks for your concern.

@bartlomieju
Copy link
Member

While this is not a priority for the core team, we would be happy to accept a PR that implements wildcard matching for --allow-net flag.

@Grunet
Copy link

Grunet commented Apr 28, 2022
edited
Loading

Am I on base in thinking that the changes would be in this permissions.rs file, specifically UnaryPermission<NetDescriptor>'s 3 "check" methods (check, check_url, and check_all)?

I don't really know Rust (or how to read it...) but that's where I got to after some code tracing.

@crowlKats crowlKats mentioned this issue Jan 12, 2023
Open
@teleclimber teleclimber mentioned this issue Nov 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cli related to cli/ dir suggestion suggestions for new features (yet to be agreed)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mbrevoort @Spoonbender @erisanolasheni @bartlomieju @Grunet