Conversation

Notices

1. Embed this notice
   Deno (deno_land@fosstodon.org)'s status on Saturday, 02-Sep-2023 04:24:30 JST Deno

   Building CLIs in #Deno is productive and simple with:
   ✅ built-in tooling
   ✅ web platform APIs & browser methods
   ✅ `deno compile` into a cross-platform binary

   https://deno.com/blog/build-cross-platform-cli

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 02-Sep-2023 04:24:28 JST Alex Gleason

     in reply to
     @deno_land
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 02-Sep-2023 04:39:10 JST Alex Gleason

     in reply to

     • Tassoman
     @tassoman @deno_land Exactly. This vulnerability is so 20 years ago. It makes me wonder if people who build Deno actually build applications with it, or if any of their clients are building things that matter. Whichever big company chooses Deno and then gets hit with it first is gonna be majorly pissed. I can see the Hacker News articles already.
   • Embed this notice
     Tassoman (tassoman@orwell.fun)'s status on Saturday, 02-Sep-2023 04:39:13 JST Tassoman

     in reply to

     • Alex Gleason
     This is silliest than old PHP :meow_thinkingeyes:
   • Embed this notice
     Tassoman (tassoman@orwell.fun)'s status on Saturday, 02-Sep-2023 04:44:56 JST Tassoman

     in reply to

     • Alex Gleason

     You can check your self, by just giving a search on Github.
     Everyone can search for #Deno inside package.json and for fetch (or what the hell is that) inside sources.
     Just don’t be malicious.

     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 02-Sep-2023 04:45:45 JST Alex Gleason

     in reply to

     • Tassoman
     @tassoman @deno_land Deno doesn't use a package.json. There's probably some other way to search for it. Maybe "deno.land/x/" which is used in import URLs.
   • Embed this notice
     Tassoman (tassoman@orwell.fun)'s status on Saturday, 02-Sep-2023 04:50:13 JST Tassoman

     in reply to

     • Alex Gleason
     Maybe something like this and some creativity...
     
     https://github.com/search?q=deno.land+language%3ATypeScript+AND+%22fetch%28%22&type=code
     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 02-Sep-2023 04:51:09 JST Alex Gleason

     in reply to

     • Tassoman
     @tassoman @deno_land Deno themselves are fetching bare URLs in at least 24 files of their own code. I wonder how much of this is vulnerable. https://github.com/search?q=fetch%28url+user%3Adenoland+path%3A*.ts&type=code&ref=advsearch
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 02-Sep-2023 04:58:28 JST Alex Gleason

     in reply to

     • Tassoman
     @tassoman @deno_land At least DNS poisoning is a general networking problem and not a surprise behavior.
   • Embed this notice
     Tassoman (tassoman@orwell.fun)'s status on Saturday, 02-Sep-2023 04:58:30 JST Tassoman

     in reply to

     • Alex Gleason
     I think it's at least vulnerable to DNS poisoning.
     fetching by IP address could be a mitigation.
     I don't know about how would deal with HTTP redirects. If it follows, well ...
     
     A good security audit would never let this pass, at least here in Europe where we have security concern for remote fetching Google Fonts and CDN scripts