-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(runtime/permissions): support IP CIDR ranges in net allowlist #11509
Conversation
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
|
@lucacasonato requested not to land this one until he can review it. Removing milestone for now |
Can I suggest switching to It also supports IPv6 CIDRs like |
Yes, currently I only did that for IPv4. |
@sh7dm the added dependency seems worth it |
|
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't reviewed implementation, but this would likely block full URL network allow list due to possible parsing ambiguity between CIDR ranges and URLs (is this concern warranted?).
With full URL network allow list I mean the following: --allow-net=https://api.github.com/meta
would allow fetching https://api.github.com/meta
, but not https://api.github.com/users/lucacasonato
. Currently filtering is just per domain.
Can also be a trouble. Maybe we should either add some prefix or another CLI flag for CIDR? |
Actually maybe it is not even ambiguous without square brackets: The port should come after the CIDR range, so after the So should look like this:
If the subnet size is missing |
Yes, but what about URLs? How do we find out that |
@sh7dm IPv6 in URLs already requires that you wrap the address in square brackets: https://url.spec.whatwg.org/#valid-host-string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, happy to get this feature. I have a few more asks though:
-
CIDR ranges are re-parsed on each permission check. CIDR ranges should be parsed once, and then stored in the NetDescriptor as a
ipnet::IpNet
(maybe turnNetDescriptor
into an enum?). -
Please also add a test that IPv6 CIDR where the IP address is surrounded by
[ ]
does not work.
Well, enum should be a great idea |
@sh7dm Do you still want to move forward with this? Seems like a great feature to have. |
Quite busy currently, sorry. No time for builds and proper testing. I do hope maintainers can help delivering this feature. |
That's too bad but thanks for your reply. Since this PR has merge conflicts, I'll go ahead and take the liberty of closing it. |
Fixes #9816