resolve static dns mappings in http-acl

nethunterslabs · Sep 10, 2023 · 5bd7fac · 5bd7fac
1 parent 669b1ea
commit 5bd7fac
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/wasi-http/Cargo.toml b/crates/wasi-http/Cargo.toml
@@ -13,7 +13,7 @@ bytes = { workspace = true }
 hyper = { version = "=1.0.0-rc.3", features = ["full"] }
 tokio = { version = "1", default-features = false, features = ["net", "rt-multi-thread", "time"] }
 http = { version = "0.2.9" }
-http-acl = "0.5.3"
+http-acl = "0.5.4"
 http-body = "1.0.0-rc.2"
 http-body-util = "0.1.0-rc.2"
 thiserror = { workspace = true }

diff --git a/crates/wasi-http/src/http_impl.rs b/crates/wasi-http/src/http_impl.rs
@@ -118,16 +118,24 @@ impl WasiHttp {
             bail!("Port {} is not allowed - {}", port, acl_port_match);
         }
 
+        let mut static_dns_mapping = false;
+
         let tcp_addresses = match &authority.host {
             http_acl::utils::authority::Host::Domain(domain) => {
-                let acl_host_match = self.acl.is_host_allowed(domain);
-                if acl_host_match.is_denied() {
-                    bail!("Host {} is not allowed - {}", domain, acl_host_match);
-                }
+                if let Some(tcp_address) = self.acl.resolve_static_dns_mapping(domain) {
+                    static_dns_mapping = true;
+
+                    vec![tcp_address]
+                } else {
+                    let acl_host_match = self.acl.is_host_allowed(domain);
+                    if acl_host_match.is_denied() {
+                        bail!("Host {} is not allowed - {}", domain, acl_host_match);
+                    }
 
-                tokio::net::lookup_host(&(domain.clone() + ":" + &port.to_string()))
-                    .await?
-                    .collect::<Vec<_>>()
+                    tokio::net::lookup_host(&(domain.clone() + ":" + &port.to_string()))
+                        .await?
+                        .collect::<Vec<_>>()
+                }
             }
             http_acl::utils::authority::Host::Ip(ip) => {
                 let acl_ip_match = self.acl.is_ip_allowed(ip);
@@ -139,10 +147,12 @@ impl WasiHttp {
             }
         };
 
-        for tcp_address in &tcp_addresses {
-            let acl_ip_match = self.acl.is_ip_allowed(&tcp_address.ip());
-            if acl_ip_match.is_denied() {
-                bail!("IP {} is not allowed - {}", tcp_address.ip(), acl_ip_match);
+        if !static_dns_mapping {
+            for tcp_address in &tcp_addresses {
+                let acl_ip_match = self.acl.is_ip_allowed(&tcp_address.ip());
+                if acl_ip_match.is_denied() {
+                    bail!("IP {} is not allowed - {}", tcp_address.ip(), acl_ip_match);
+                }
             }
         }