Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allow list for HTTP methods/schemes/authorities #6401

Closed
wants to merge 3 commits into from
Closed

Add allow list for HTTP methods/schemes/authorities #6401

wants to merge 3 commits into from

Conversation

brendandburns
Copy link
Contributor

This adds allow lists to HTTP which enable the creator of the wasm runtime to specify:

  • allowed methods
  • allowed schemes
  • allowed authorities

It also supports a wildcard value * which matches everything.

Unit tests to validate the functionality are also included.

@brendandburns brendandburns requested a review from a team as a code owner May 17, 2023 19:48
@brendandburns brendandburns requested review from alexcrichton and removed request for a team May 17, 2023 19:48
@brendandburns
Copy link
Contributor Author

cc @pchickey

@alexcrichton
Copy link
Member

I'm gonna move review over to @pchickey who's more in-depth with this stuff than I am, but it also looks like there's a CI failure you may be interested in.

@alexcrichton alexcrichton requested review from pchickey and removed request for alexcrichton May 17, 2023 22:14
@brendandburns brendandburns changed the title Allowed Add allow list for HTTP methods/sechemes/authorities May 17, 2023
@brendandburns
Copy link
Contributor Author

I'll look into the CI failure. "It worked on my machine"(tm)

@brendandburns
Copy link
Contributor Author

Ok, looks like this was incomptable with the changes in #6385 and I forgot to re-run the tests after a rebase.

CI should now pass, ready for a real review.

@brendandburns brendandburns changed the title Add allow list for HTTP methods/sechemes/authorities Add allow list for HTTP methods/schemes/authorities May 18, 2023
Mossaka
Mossaka reviewed May 19, 2023
View reviewed changes
crates/wasi-http/src/http_impl.rs
@@ -43,6 +43,18 @@ fn port_for_scheme(scheme: &Option<Scheme>) -> &str {
}
}

fn is_allowed(allow_list: &Vec<String>, value: String) -> bool {
for allowed in allow_list.iter() {
if allowed == "*" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to follow the convention in wasi-experimental-http that uses "insecure:allow-all" to match everything?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I will leave wild-card in for now. I'm not sure we want to imply wild-card == insecure, that seems to be up to the user of wasmtime to determine what is secure or not in their environment. (or we should define this in the wasi-http spec)

@veeshi veeshi mentioned this pull request Aug 5, 2023
Closed
@brendandburns
Copy link
Contributor Author

Given discussion here:
#6808

Closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mossaka Mossaka Mossaka left review comments

@pchickey pchickey Awaiting requested review from pchickey

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brendandburns @alexcrichton @Mossaka