feat(unstable): --allow-net subdomain wildcards #29327
Conversation
nayeemrmn
changed the title
nayeemrmn
changed the title
|
IMO, users may need to be concerned about attacks via dangling records, while this feature is safe to use in most cases. https://www.form3.tech/blog/engineering/dangling-danger |
|
Please open a PR to https://github.com/denoland/docs that updates explanation of the |
dsherret
left a comment
dsherret
left a comment
There was a problem hiding this comment.
LGTM once the boolean parameter is removed.
| || NetDescriptor::parse(host_and_port).is_ok() | ||
| || NetDescriptor::parse_for_list( | ||
| host_and_port, | ||
| UnstableSubdomainWildcards::Enabled, |
There was a problem hiding this comment.
Sweet. Thanks! This also makes it slightly easier to remove in the future because we'll just need to do a find all references for this type.
| fn parse_net_query( | ||
| &self, | ||
| text: &str, | ||
| ) -> Result<NetDescriptor, NetDescriptorParseError>; |
There was a problem hiding this comment.
One tiny thing, is considering this is permissions, I wonder if we should use a different type for query like NetQuery instead of NetDescriptor so there's a bit more protection in not accidentally mixing them up? I'm not sure it makes sense. Just a thought.
There was a problem hiding this comment.
That was my first try. It's hard to walk through it all but I essentially hit a roadblock implementing QueryDescriptor::from_allow() (this method fundamentally doesn't make sense) for NetQuery { type AllowDesc = NetDescriptor }, and the change exploded in scope trying to address everything. So I restarted.
However, I'm also doubtful we should have separate 'query' and 'allow-listed range' types, since the latter should also be query-able through the runtime API. It also needs to be queried when checking for escalations when spawning child workers, which is precisely where we use QueryDescriptor::from_allow().
There might have been technical causes to do this type AllowDesc stuff for env or run permissions, but from a wider lens it seems flawed.
4 participants
Closes #6532.
Supports one wildcard which must be the first label. Doesn't support wildcards in a middle label like
cloudformation.*.amazonaws.comas one user requested. Based on https://developers.cloudflare.com/dns/manage-dns-records/reference/wildcard-dns-records/#aspects-to-consider.Let's decline these ones.