Hacker News new | ask | show | jobs
by thegagne 1655 days ago
Something I’d like to see, in browsers, Cloudflare Workers, Deno, etc: explicit network firewall in the software stack.

An example with Workers, one script might only need to fetch from Backblaze. I’d like to set their host as a whitelisted address, and so even if a log4j type vuln happens, it can’t go anywhere except Backblaze.

I think this could even work in browser-land? If you don’t need to pull in any resources outside the original host, deny any fetch made unless it’s added to a whitelist. For browsers this would need to be opt-in for backwards compatibility, but an ideal state would be opt-out (to allow all).
3 comments
easrng 1655 days ago
You want a Content Security Policy[0]

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

link
thegagne 1655 days ago
Ah yes, I forgot about that browser side, but server side is that a thing?
link
lucacasonato 1655 days ago
Deno has permissions to do this: https://deno.land/manual@v1.11.3/getting_started/permissions. Deno Deploy (our serverless offering) has no support for permissions yet (still in beta), but we are expecting this to happen soon.
link
thegagne 1655 days ago
Nice!
link
kentonv 1655 days ago
FWIW, in Cloudflare Workers, a log4j-type RCE vulnerability would be impossible because Workers does not allow dynamic code loading (eval() and similar are disabled).

Of course, a lesser form of the vulnerability -- data leaks rather than RCE -- would still be possible. I agree that being able to restrict outbound traffic would be useful to mitigate that.

As a hack that works now, you could monkey-patch `fetch()` to intercept calls and deny them based on URL.

(I'm the tech lead of Cloudflare Workers.)

link
thegagne 1651 days ago
Thanks for thinking about this Kenton. I agree the data leak is more the concern here, or even accidental use as a ddos attack agent. The scenario is an import of something like worktop, if worktop released a malicious version.

Monkey patching is an option of course, but a native solution would be nice.

link
spmurrayzzz 1655 days ago
I think its probably worth clarifying whether you mean an ACL or a firewall here. The former seems more feasible given that its stateless and the latter is not, at least conventionally. Those implementation details matter here I think.

But speaking more broadly, do you have any examples of this kind of behavior being defined at the language specification level (and not in a platform API)? I can't think of any presently.

It seems problematic for a number of reasons, but if there's other examples to work backwards from that might be helpful for me to grok how this would work in a general sense.

link