Deno: Add URLs to `--allow-net`

Created on 12 May 2020 · 6Comments · Source: denoland/deno

Deno should allow URLs to be allowed in --allow-net and or other than domain names and ports pair.

As of current to run this simple JavaScript file:

fetch('http://gist.githubusercontent.com/KSXGitHub/62cb052060dc169796ab3698ff53c33b/raw/9d7d84910b344eb8580be8b91cf539e18e565e5d/init.sh/').then( (resp) => {
    console.log(resp)
} )

I would need to allow all URLs possible with gist.githubusercontent.com, or allow any Domain names URL(which both are not fully secure):

All URLs possible with gist.githubusercontent.com:

deno --allow-net="gist.githubusercontent.com" test.js                                 Does compile
Response {
  responce data...
}

Allow any Domain names URL:

deno --allow-net test.js
Does compile
Response {
  responce data...
}

And if I try running the secure way, I get en error:

$ deno --allow-net="http://gist.githubusercontent.com/KSXGitHub/62cb052060dc169796ab3698ff53c33b/raw/9d7d84910b344eb8580be8b91cf539e18e565e5d/init.sh" test.js
Does compile
error: Uncaught PermissionDenied: network access to "http://gist.githubusercontent.com/KSXGitHub/62cb052060dc169796ab3698ff53c33b/raw/9d7d84910b344eb8580be8b91cf539e18e565e5d/init.sh/", run again with the --allow-net flag
    at unwrapResponse ($deno$/ops/dispatch_json.ts:43:11)
    at Object.sendAsync ($deno$/ops/dispatch_json.ts:98:10)
    at async fetch ($deno$/web/fetch.ts:591:27)

Thanks,
Dex Devlon

Source

bxff

👍5

Most helpful comment

--allow-net supports providing a list of URLs:

$ deno run --allow-net=github.com,google.com mod.ts

bartlomieju on 15 May 2020

🎉2 😄1

All 6 comments

This seems super useful. I suggest that the notation can start with a star to indicate multiple levels of subdomains like

deno --allow-net="*.githubusercontent.com" test.js

I also suggest making it a comma-separated list so that you can add several urls

deno --allow-net="*.githubusercontent.com, github.com, mydomain.lol" test.js

mathiasrw on 13 May 2020

👍3

--allow-net supports providing a list of URLs:

$ deno run --allow-net=github.com,google.com mod.ts

bartlomieju on 15 May 2020

🎉2 😄1

Closing as resolved

bartlomieju on 21 May 2020

@bartlomieju allow-net allows only domains but no URLs. For e.g google.com is allowed, if used it will also automatically allow google.com/about but if you want to allow only google.com/about it is not currently supported by --allow-net. This has nothing to do with comma separated domain names. I think the issue is not resolved just yet

skariel on 6 Oct 2020

As I said in IRC once, I think this should stay as it is.

URL paths are arbitrary strings which are prone to subtle formatting differences and it's not clear how the scopes should work. While it's intuitive that read permission to /foo should imply read permission to /foo/bar, it's not sensible that net permission to http://baz.com/foo implies http://baz.com/foo/bar. This doesn't leave any good way of whitelisting at the TCP level which should take priority.

It's important to offer whitelisting against _who_ the runtime can establish connections with. There's no reason to include random unstructured parts of the request payload as filter parameters. The pathname of a URL is effectively that.

nayeemrmn on 6 Oct 2020

👍1

allow-net allows only domains but no URLs. For e.g google.com is allowed, if used it will also automatically allow google.com/about but if you want to allow only google.com/about it is not currently supported by --allow-net. This has nothing to do with comma separated domain names. I think the issue is not resolved just yet

Hm, how would that even work? as you connect to _hosts_ not fully qualified urls.