|
|
|
|
|
|
by throwitaway1123
345 days ago
|
|
|
> you can't just allow exact what you need in that category? You have to allow the entire category and then deny everything you don't want/need? No, you can allow access to specific domains, IP addresses, filesystem paths, environment variables, etc, while denying everything else by default. You can for instance allow access to only a specific IP (e.g. `deno run --allow-net='127.0.0.1' main.ts`), while implicitly blocking every other IP. What the commenter is complaining about is the fact that Deno doesn't check which IP address a domain name actually resolves to using DNS resolution. So if you explicitly deny '1.1.1.1', and the script you're running fetches from a domain with an A record pointing to '1.1.1.1', Deno will allow it. In practice, I usually use allow lists rather than deny lists, because I very rarely have an exhaustive list on hand of every IP address or domain I'm expecting a rogue script to attempt to access. |
|
|
If you can default deny, then you're good. It's kind of a junior sysadmin mistake, otherwise, I would say.