Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Many new access requests for DNS and IPs that were not in 2.1.4 #27634

Open
notroid5 opened this issue Jan 11, 2025 · 4 comments
Open

Many new access requests for DNS and IPs that were not in 2.1.4 #27634

notroid5 opened this issue Jan 11, 2025 · 4 comments
Labels
question a question about the use of Deno working as designed this is working as intended

Comments

@notroid5
Copy link

notroid5 commented Jan 11, 2025
edited
Loading

Version: Deno 2.1.5

I'm connecting to Twitch with the npm:@twurple/* packages.
None of these access requests are necessary in 2.1.4 or earlier.
Re-confirmed by downgrading to 2.1.4.

Probably related to #25470, maybe also #27572.

Deno script

-N=0.0.0.0:8080,api.twitch.tv:443,id.twitch.tv:443

nslookup

id.twitch.tv => 52.89.33.131, 54.69.142.122, 54.191.180.173
api.twitch.tv => 3.167.227.4, 3.167.227.5, 3.167.227.59, 3.167.227.114

IP 1: 127.0.0.53:53 (localhost DNS)

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
┃ ├─ Array.map ()
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:42
┃ ├─ getaddrinfo (ext:deno_node/internal_binding/cares_wrap.ts:72:5)
┃ ├─ lookup (node:dns:131:15)
┃ ├─ emitLookup (node:net:534:5)
┃ ├─ defaultTriggerAsyncIdScope (ext:deno_node/internal/async_hooks.ts:193:18)
┃ └─ _lookupAndConnectMultiple (node:net:533:3)
┠─ Learn more at: https://docs.deno.com/go/--allow-net
┠─ Run again with --allow-net to bypass this prompt.
┗ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all net permissions) >

  • if no to IP 1:
    => crash

❌ Denied net access to "127.0.0.53:53".
error: Uncaught Error: getaddrinfo ENOTFOUND id.twitch.tv
at __node_internal_captureLargerStackTrace (ext:deno_node/internal/errors.ts:93:9)
at _node_internal (ext:deno_node/internal/errors.ts:246:10)
at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:43:26)
at ext:deno_node/internal_binding/cares_wrap.ts:71:9
at eventLoopTick (ext:core/01_core.js:175:7)

  • if yes to IP 1:
    => IP 2: 54.191.180.173:443 (id.twitch.tv)

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
✅ Granted net access to "127.0.0.53:53".
⚠️ Deno requests net access to "54.191.180.173:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
┃ ├─ TCP.connect (ext:deno_node/internal_binding/tcp_wrap.ts:139:25)
┃ ├─ _internalConnectMultiple (node:net:347:24)
┃ ├─ defaultTriggerAsyncIdScope (ext:deno_node/internal/async_hooks.ts:193:18)
┃ ├─ GetAddrInfoReqWrap.emitLookup [as callback] (node:net:626:7)
┃ ├─ GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:54:8)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:71:9
┃ └─ eventLoopTick (ext:core/01_core.js:175:7)
┠─ Learn more at: https://docs.deno.com/go/--allow-net
┠─ Run again with --allow-net to bypass this prompt.
┗ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all net permissions) >

-- if no to IP 2:
=> IP 3: 52.89.33.131:443 (id.twitch.tv)

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
✅ Granted net access to "127.0.0.53:53".
⚠️ Deno requests net access to "54.191.180.173:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
❌ Denied net access to "54.191.180.173:443".
⚠️ Deno requests net access to "52.89.33.131:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
┃ ├─ TCP.connect (ext:deno_node/internal_binding/tcp_wrap.ts:139:25)
┃ ├─ _internalConnectMultiple (node:net:347:24)
┃ ├─ _afterConnectMultiple (node:net:210:7)
┃ ├─ TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
┃ ├─ ext:deno_node/internal_binding/tcp_wrap.ts:306:14
┃ └─ eventLoopTick (ext:core/01_core.js:175:7)
┠─ Learn more at: https://docs.deno.com/go/--allow-net
┠─ Run again with --allow-net to bypass this prompt.
┗ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all net permissions) >

--- if no IP 3:
=> IP 4: 54.69.142.122:443

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
✅ Granted net access to "127.0.0.53:53".
⚠️ Deno requests net access to "54.191.180.173:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
❌ Denied net access to "54.191.180.173:443".
⚠️ Deno requests net access to "52.89.33.131:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
❌ Denied net access to "52.89.33.131:443".
⚠️ Deno requests net access to "54.69.142.122:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
┃ ├─ TCP.connect (ext:deno_node/internal_binding/tcp_wrap.ts:139:25)
┃ ├─ _internalConnectMultiple (node:net:347:24)
┃ ├─ _afterConnectMultiple (node:net:210:7)
┃ ├─ TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
┃ ├─ ext:deno_node/internal_binding/tcp_wrap.ts:306:14
┃ └─ eventLoopTick (ext:core/01_core.js:175:7)
┠─ Learn more at: https://docs.deno.com/go/--allow-net
┠─ Run again with --allow-net to bypass this prompt.
┗ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all net permissions) >

---- if no to IP 4:
=> crash

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
✅ Granted net access to "127.0.0.53:53".
⚠️ Deno requests net access to "54.191.180.173:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
❌ Denied net access to "54.191.180.173:443".
⚠️ Deno requests net access to "52.89.33.131:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
❌ Denied net access to "52.89.33.131:443".
⚠️ Deno requests net access to "54.69.142.122:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
❌ Denied net access to "54.69.142.122:443".
error: Uncaught AggregateError
Error: connect ECONNREFUSED 54.191.180.173:443
at __node_internal_captureLargerStackTrace (ext:deno_node/internal/errors.ts:93:9)
at __node_internal_exceptionWithHostPort (ext:deno_node/internal/errors.ts:217:10)
at _createConnectionError (node:net:185:14)
at _afterConnectMultiple (node:net:205:16)
at TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
at ext:deno_node/internal_binding/tcp_wrap.ts:306:14
at eventLoopTick (ext:core/01_core.js:175:7)
Error: connect ECONNREFUSED 52.89.33.131:443
at __node_internal_captureLargerStackTrace (ext:deno_node/internal/errors.ts:93:9)
at __node_internal_exceptionWithHostPort (ext:deno_node/internal/errors.ts:217:10)
at _createConnectionError (node:net:185:14)
at _afterConnectMultiple (node:net:205:16)
at TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
at ext:deno_node/internal_binding/tcp_wrap.ts:306:14
at eventLoopTick (ext:core/01_core.js:175:7)
Error: connect ECONNREFUSED 54.69.142.122:443
at __node_internal_captureLargerStackTrace (ext:deno_node/internal/errors.ts:93:9)
at __node_internal_exceptionWithHostPort (ext:deno_node/internal/errors.ts:217:10)
at _createConnectionError (node:net:185:14)
at _afterConnectMultiple (node:net:205:16)
at TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
at ext:deno_node/internal_binding/tcp_wrap.ts:306:14
at eventLoopTick (ext:core/01_core.js:175:7)
at _internalConnectMultiple (node:net:308:18)
at _afterConnectMultiple (node:net:210:7)
at TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
at ext:deno_node/internal_binding/tcp_wrap.ts:306:14
at eventLoopTick (ext:core/01_core.js:175:7)

-- if yes to IP 2:
=> host 1: id.twitch.tv:0

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
✅ Granted net access to "127.0.0.53:53".
⚠️ Deno requests net access to "54.191.180.173:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
✅ Granted net access to "54.191.180.173:443".
⚠️ Deno requests net access to "id.twitch.tv:0".
┠─ Requested by Deno.startTls() API.
┃ ├─ node:http:306:27
┃ ├─ HttpsClientRequest._writeHeader (node:http:398:7)
┃ ├─ HttpsClientRequest._flushHeaders (node:_http_outgoing:382:12)
┃ ├─ Socket.onConnect (node:http:444:16)
┃ ├─ Socket.emit (ext:deno_node/_events.mjs:405:35)
┃ ├─ _afterConnect (node:net:159:12)
┃ ├─ _afterConnectMultiple (node:net:214:3)
┃ ├─ TCP.afterConnect (ext:deno_node/internal_binding/connection_wrap.ts:43:11)
┃ ├─ ext:deno_node/internal_binding/tcp_wrap.ts:299:14
┃ └─ eventLoopTick (ext:core/01_core.js:175:7)
┠─ Learn more at: https://docs.deno.com/go/--allow-net
┠─ Run again with --allow-net to bypass this prompt.
┗ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all net permissions) >

----- if no to host 1:
=> crash after a few more access requests, no matter if any more are granted

----- if yes to host 1:
=> crash if too slow:
(else continues with more access requests)

⚠️ Deno requests net access to "127.0.0.53:53".
┠─ Requested by Deno.resolveDns() API.
┃ ├─ op_dns_resolve (ext:core/00_infra.js:264:44)
┃ ├─ Object.resolveDns (ext:deno_net/01_net.js:77:18)
┃ ├─ ext:deno_node/internal_binding/cares_wrap.ts:55:65
✅ Granted net access to "127.0.0.53:53".
⚠️ Deno requests net access to "54.191.180.173:443".
┠─ Requested by Deno.connect() API.
┃ ├─ op_net_connect_tcp (ext:core/00_infra.js:264:44)
┃ ├─ Object.connect (ext:deno_net/01_net.js:583:61)
┃ ├─ TCP.#connect (ext:deno_node/internal_binding/tcp_wrap.ts:291:10)
✅ Granted net access to "54.191.180.173:443".
⚠️ Deno requests net access to "id.twitch.tv:0".
┠─ Requested by Deno.startTls() API.
┃ ├─ node:http:306:27
┃ ├─ HttpsClientRequest._writeHeader (node:http:398:7)
┃ ├─ HttpsClientRequest._flushHeaders (node:_http_outgoing:382:12)
✅ Granted net access to "id.twitch.tv:0".
error: Uncaught (in promise) TypeError: Failed to fetch: request body stream errored
at node:http:385:17
at eventLoopTick (ext:core/01_core.js:175:7)
Caused by: "resource closed"

Edit: Removed the # from the IP/host numbers, so it does not auto link to unrelated issues any more.
@bartlomieju
Copy link
Member

This is now expected. With #25470 landed, the node:http module has been rewritten in depth to support createConnection option. Before that PR, the DNS resolution was happening automatically in Rust and didn't cause permission checks (because it was transparent), but with this change the DNS resolution can be performed either by user code in createConnection or using the default DNS APIs (node:dns) and thus requires permission checks.

@bartlomieju bartlomieju added question a question about the use of Deno working as designed this is working as intended labels Jan 14, 2025
@notroid5
Copy link
Author

Is there any way around this? The IPs may not change in my case but what if a host has a dynamic IP?

@bartlomieju
Copy link
Member

Is there any way around this? The IPs may not change in my case but what if a host has a dynamic IP?

No, there's no workaround for it at the moment.

@notroid5
Copy link
Author

As I just found it, even Twitch IPs are not static.
The current status of this is unreasonable at the moment.
I will have to keep using 2.1.4 until this is resolved.

The only thing I can think of right now would be to lookup all IPs for the host(s) first and insert them in the Deno command.
However, at this point, Deno is working actively against me.
This should be considered a regression.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question a question about the use of Deno working as designed this is working as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bartlomieju @notroid5