mirror of https://github.com/denoland/deno.git synced 2025-01-10 08:09:06 -05:00

A modern runtime for JavaScript and TypeScript. https://deno.com/

Find a file

Andrew Stucki 1e478d73e3 Drop headers with trailing whitespace in header name (#4642 ) This relates directly to [an issue](https://github.com/denoland/deno_std/issues/620) that I initially raised in `deno_std` awhile back, and was reminded about it today when the `oak` project popped up on my github recommended repos. As of now Deno's http servers are vulnerable to the same underlying issue of go CVE-2019-16276 due to the fact that it's based off of ported go code from their old standard library. [Here's the commit that fixed the CVE.](`6e6f4aaf70`) Long story short, some off the shelf proxies and caching servers allow for passing unaltered malformed headers to backends that they're fronting. When they pass invalid headers that they don't understand this can cause issues with HTTP request smuggling. I believe that to this date, this is the default behavior of AWS ALBs--meaning any server that strips whitespace from the tail end of header field names and then interprets the header, when placed behind an ALB, is susceptible to request smuggling. The current behavior is actually specifically called out in [RFC 7230](https://tools.ietf.org/html/rfc7230#section-3.2.4) as something that MUST result in a rejected message, but the change corresponding to this PR, is more lenient and what both go and nginx currently do, and is better than the current behavior.		2020-04-06 09:58:46 -04:00
.cargo	Statically link the C runtime library on Windows (#4469 )	2020-03-23 20:31:29 +01:00
.github	Publish deno types on release (#4583 )	2020-04-02 11:56:09 -04:00
cli	docs: add README to cli/js/web/ (#4578 )	2020-04-06 13:06:11 +02:00
core	clippy (#4618 )	2020-04-03 22:41:16 -04:00
deno_typescript	v0.39.0	2020-04-03 14:38:56 -04:00
std	Drop headers with trailing whitespace in header name (#4642 )	2020-04-06 09:58:46 -04:00
test_plugin	Update to Prettier 2 and use ES Private Fields (#4498 )	2020-03-28 13:03:49 -04:00
third_party@4a3ade3322	Update to Prettier 2 and use ES Private Fields (#4498 )	2020-03-28 13:03:49 -04:00
tools	fix: Add check to fail the benchmark test on server error (#4519 )	2020-03-30 14:04:45 -04:00
.editorconfig	editorconfig: Don't insert final newline in .out files (#1686 )	2019-02-07 11:31:49 -05:00
.eslintignore	feat: dprint formatter (#3820 )	2020-01-29 21:16:48 -05:00
.eslintrc.json	Add require-await lint rule (#4401 )	2020-03-20 09:38:34 -04:00
.gitattributes	Upgrade node_modules, change tagline, clean up root directory (#3247 )	2019-10-31 19:33:27 -07:00
.gitignore	Statically link the C runtime library on Windows (#4469 )	2020-03-23 20:31:29 +01:00
.gitmodules	Replace libdeno with rusty_v8 (#3556 )	2020-01-05 09:19:29 -05:00
.prettierignore	Loader: support .wasm imports (#3328 )	2019-11-14 08:31:39 -05:00
.prettierrc.json	tools/format: format markdown files with prettier	2018-10-04 02:02:23 -07:00
.rustfmt.toml	change copyrights from 2019 to 2020 (#3733 )	2020-01-21 10:01:55 -05:00
Cargo.lock	v0.39.0	2020-04-03 14:38:56 -04:00
Cargo.toml	feat: first pass at native plugins (#3372 )	2019-12-05 15:30:20 -05:00
LICENSE	change copyrights from 2019 to 2020 (#3733 )	2020-01-21 10:01:55 -05:00
README.md	Use discord instead of gitter (#4253 )	2020-03-04 19:49:51 -05:00
Releases.md	v0.39.0	2020-04-03 14:38:56 -04:00

README.md

Deno

A secure runtime for JavaScript and TypeScript.

Deno aims to provide a productive and secure scripting environment for the modern programmer. It is built on top of V8, Rust, and TypeScript.

Please read the introduction for more specifics.