Skip to content

Remove the check for ':' when setting authority in wasi-http. #11145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 27, 2025
Merged

Remove the check for ':' when setting authority in wasi-http. #11145

merged 2 commits into from
Jun 27, 2025

Conversation

rylev
Copy link
Contributor

@rylev rylev commented Jun 27, 2025

Authorities can have : in them when they are IPV6 addresses. With the current check it is impossible to use ipv6 addresses as authorities for outgoing http requests.

It's not clear to me why the check was added in the first place, so I might be missing something obvious here why the check is necessary.

@rylev rylev requested a review from a team as a code owner June 27, 2025 09:40
@rylev
Remove the check for ':' when setting authority in wasi-http.
0184030 
Authorities can have `:` in them when they are IPV6 addresses.

Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
@rylev rylev force-pushed the remove-authority-check branch from abbc16a to 0184030 Compare June 27, 2025 10:31
@rylev rylev requested a review from a team as a code owner June 27, 2025 10:31
@rylev rylev requested review from alexcrichton and removed request for a team June 27, 2025 10:31
@dicej
Copy link
Contributor

dicej commented Jun 27, 2025
edited
Loading

It looks like the check for : was an attempt to validate this:

The HTTP and HTTPS schemes always require an authority. Fails if the string given is not a syntactically valid URI authority.

Presumably, that means it should not contain a port number. So if we update the check to ensure it doesn't end with a colon followed by zero or more digits (e.g. the regex :[0-9]*), that should allow IPv6 addresses but still disallow port numbers. EDIT: Disregard what I wrote. Reading the code more carefully, I see it was not trying to disallow specifying the port. I don't know what it was trying to do 🤷

@badeend
Copy link
Contributor

badeend commented Jun 27, 2025
edited
Loading

From the PR that introduced this check, I can't reverse engineer why this check was added.

The URI authority can include the port. As matter of fact, it is the only way in the wasi-http interface to declare the port number.

Taking the code at face value, I think what it tried to check for is that: when a port is provided it shall be a valid u16. For example: http://bad-port:99999 is syntactically a valid URI authority, but 99999 is not a valid port number.
A better way to write this could be:

if auth.port().is_some() && auth.port_u16().is_none() {
   return Ok(Err(()));
}

Maybe there's still value in keeping such a validation around.

Other than that: I agree with the general sentiment of this PR: http::uri::Authority::from_str alone is likely better equipped to validate URI's than ad-hoc validations in wasmtime itself.

Could you add a test that checks a IPv6 address +/- a port number passes the validation? E.g. "[::]:443"

@rylev
Add test for allowing IPv6 authority
6799844 
Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
@rylev
Copy link
Contributor Author

rylev commented Jun 27, 2025

FYI: the check suggested of...

if auth.port().is_some() && auth.port_u16().is_none() {
   return Ok(Err(()));
}

... won't work as auth.port() already parses the port as a u16. So if auth.port().is_some() is true - auth.port_u16() will also be Some.

I have pushed a test for ipv6 with and without a port.

@badeend
Copy link
Contributor

badeend commented Jun 27, 2025

Hmm. I see. In that case, I don't know why that check was there.

@alexcrichton alexcrichton added this pull request to the merge queue Jun 27, 2025
Merged via the queue into bytecodealliance:main with commit 1e82443 Jun 27, 2025
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@badeend badeend badeend approved these changes

@alexcrichton alexcrichton Awaiting requested review from alexcrichton alexcrichton is a code owner automatically assigned from bytecodealliance/wasmtime-core-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rylev @dicej @badeend @alexcrichton