feat: Implement a wildcard in http allowed_domains to allow all domai…

…ns (fermyon#422) * added wildcard host and a rust outbound http example * updated outbound http upstream Signed-off-by: Jiaxiao Zhou <[email protected]>
danbugs · May 12, 2022 · 60695de · 60695de
1 parent 7a98ea2
commit 60695de
Show file tree

Hide file tree

Showing 8 changed files with 447 additions and 12 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/outbound-http/Cargo.toml b/crates/outbound-http/Cargo.toml
@@ -19,5 +19,5 @@ tokio = { version = "1.4.0", features = [ "full" ] }
 tracing = { version = "0.1", features = [ "log" ] }
 tracing-futures = "0.2"
 url = "2.2.1"
-wasi-experimental-http-wasmtime = { git = "https://github.com/deislabs/wasi-experimental-http", rev = "4ed321d6943f75546e38bba80e14a59797aa29de" }
-wit-bindgen-wasmtime = { git = "https://github.com/bytecodealliance/wit-bindgen", rev = "2f46ce4cc072107153da0cefe15bdc69aa5b84d0" }
+wasi-experimental-http-wasmtime = { git = "https://github.com/deislabs/wasi-experimental-http", rev = "9a143fa7d8be2a66d6d636c5c1b0c6e2bad68912" }
+wit-bindgen-wasmtime = { git = "https://github.com/bytecodealliance/wit-bindgen", rev = "2f46ce4cc072107153da0cefe15bdc69aa5b84d0" }
diff --git a/crates/outbound-http/src/lib.rs b/crates/outbound-http/src/lib.rs
@@ -12,6 +12,8 @@ pub use wasi_outbound_http::add_to_linker;
 
 wit_bindgen_wasmtime::export!("../../wit/ephemeral/wasi-outbound-http.wit");
 
+const ALLOW_ALL_HOSTS: &str = "insecure:allow-all";
+
 /// A very simple implementation for outbound HTTP requests.
 #[derive(Default, Clone)]
 pub struct OutboundHttp {
@@ -25,7 +27,8 @@ impl OutboundHttp {
     }
 
     /// Check if guest module is allowed to send request to URL, based on the list of
-    /// allowed hosts defined by the runtime.
+    /// allowed hosts defined by the runtime. If the list of allowed hosts contains
+    /// `insecure:allow-all`, then all hosts are allowed.
     /// If `None` is passed, the guest module is not allowed to send the request.
     fn is_allowed(url: &str, allowed_hosts: Option<Vec<String>>) -> Result<bool, HttpError> {
         let url_host = Url::parse(url)
@@ -35,13 +38,20 @@ impl OutboundHttp {
             .to_owned();
         match allowed_hosts.as_deref() {
             Some(domains) => {
-                let allowed: Result<Vec<_>, _> = domains.iter().map(|d| Url::parse(d)).collect();
-                let allowed = allowed.map_err(|_| HttpError::InvalidUrl)?;
-
-                Ok(allowed
-                    .iter()
-                    .map(|u| u.host_str().unwrap())
-                    .any(|x| x == url_host.as_str()))
+                tracing::info!("Allowed hosts: {:?}", domains);
+                // check domains has any "insecure:allow-all" wildcard
+                if domains.iter().any(|domain| domain == ALLOW_ALL_HOSTS) {
+                    Ok(true)
+                } else {
+                    let allowed: Result<Vec<_>, _> =
+                        domains.iter().map(|d| Url::parse(d)).collect();
+                    let allowed = allowed.map_err(|_| HttpError::InvalidUrl)?;
+
+                    Ok(allowed
+                        .iter()
+                        .map(|u| u.host_str().unwrap())
+                        .any(|x| x == url_host.as_str()))
+                }
             }
             None => Ok(false),
         }

diff --git a/examples/http-rust-oubound-http/.cargo/config.toml b/examples/http-rust-oubound-http/.cargo/config.toml
@@ -0,0 +1,2 @@
+[build]
+target = "wasm32-wasi"