Add address check for mysql

Signed-off-by: Ryan Levick <[email protected]>

Author: rylev

Cargo.lock

@@ -16,7 +16,9 @@ mysql_async = { version = "0.32.2", default-features = false, features = [
 ] }
 # Removing default features for mysql_common to remove flate2/zlib feature
 mysql_common = { version = "0.30.6", default-features = false }
+spin-app = { path = "../app" }
 spin-core = { path = "../core" }
+spin-outbound-networking = { path = "../outbound-networking" }
 spin-world = { path = "../world" }
 table = { path = "../table" }
 tokio = { version = "1", features = ["rt-multi-thread"] }

crates/outbound-mysql/Cargo.toml

@@ -1,5 +1,6 @@
-use anyhow::Result;
+use anyhow::{Context, Result};
 use mysql_async::{consts::ColumnType, from_value_opt, prelude::*, Opts, OptsBuilder, SslOpts};
+use spin_app::DynamicHostComponent;
 use spin_core::wasmtime::component::Resource;
 use spin_core::{async_trait, HostComponent};
 use spin_world::v1::mysql as v1;
@@ -12,6 +13,7 @@ use url::Url;
 /// A simple implementation to support outbound mysql connection
 #[derive(Default)]
 pub struct OutboundMysql {
+    allowed_hosts: Option<spin_outbound_networking::AllowedHosts>,
     pub connections: table::Table<mysql_async::Conn>,
 }
 
@@ -24,6 +26,10 @@ impl OutboundMysql {
             .get_mut(connection.rep())
             .ok_or_else(|| v2::Error::ConnectionFailed("no connection found".into()))
     }
+
+    fn is_address_allowed(&self, address: &str, default: bool) -> bool {
+        spin_outbound_networking::check_address(address, "mysql", &self.allowed_hosts, default)
+    }
 }
 
 impl HostComponent for OutboundMysql {
@@ -42,11 +48,33 @@ impl HostComponent for OutboundMysql {
     }
 }
 
+impl DynamicHostComponent for OutboundMysql {
+    fn update_data(
+        &self,
+        data: &mut Self::Data,
+        component: &spin_app::AppComponent,
+    ) -> anyhow::Result<()> {
+        let hosts = component
+            .get_metadata(spin_outbound_networking::ALLOWED_HOSTS_KEY)?
+            .unwrap_or_default();
+        data.allowed_hosts = hosts
+            .map(|h| spin_outbound_networking::AllowedHosts::parse(&h[..]))
+            .transpose()
+            .context("`allowed_outbound_hosts` contained an invalid url")?;
+        Ok(())
+    }
+}
+
 impl v2::Host for OutboundMysql {}
 
 #[async_trait]
 impl v2::HostConnection for OutboundMysql {
     async fn open(&mut self, address: String) -> Result<Result<Resource<Connection>, v2::Error>> {
+        if !self.is_address_allowed(&address, false) {
+            return Ok(Err(v2::Error::ConnectionFailed(format!(
+                "address {address} is not permitted"
+            ))));
+        }
         Ok(async {
             self.connections
                 .push(
@@ -125,6 +153,11 @@ impl v2::HostConnection for OutboundMysql {
 /// Delegate a function call to the v2::HostConnection implementation
 macro_rules! delegate {
     ($self:ident.$name:ident($address:expr, $($arg:expr),*)) => {{
+        if !$self.is_address_allowed(&$address, true) {
+            return Ok(Err(v1::MysqlError::ConnectionFailed(format!(
+                "address {} is not permitted", $address
+            ))));
+        }
         let connection = match <Self as v2::HostConnection>::open($self, $address).await? {
             Ok(c) => c,
             Err(e) => return Ok(Err(e.into())),

crates/outbound-mysql/src/lib.rs

@@ -6,4 +6,6 @@ edition.workspace = true
 
 [dependencies]
 anyhow = "1.0"
+spin-locked-app = { path = "../locked-app" }
+terminal = { path = "../terminal" }
 url = "2.4.1"

crates/outbound-networking/Cargo.toml

@@ -1,6 +1,40 @@
 use anyhow::Context;
+use spin_locked_app::MetadataKey;
 use url::Url;
 
+pub const ALLOWED_HOSTS_KEY: MetadataKey<Option<Vec<String>>> =
+    MetadataKey::new("allowed_outbound_hosts");
+
+/// Checks address against allowed hosts
+///
+/// Emits several warnings
+pub fn check_address(
+    address: &str,
+    scheme: &str,
+    allowed_hosts: &Option<AllowedHosts>,
+    default: bool,
+) -> bool {
+    let Ok(url) = parse_url_with_host(address, scheme) else {
+        terminal::warn!(
+                "A component tried to make a request to an address that could not be parsed as a url {address:?}."
+            );
+        return false;
+    };
+    let is_allowed = if let Some(allowed_hosts) = allowed_hosts {
+        allowed_hosts.allows(url.clone())
+    } else {
+        default
+    };
+
+    if !is_allowed {
+        terminal::warn!("A component tried to make a request to non-allowed address {address:?}.");
+        if let (Some(host), Some(port)) = (url.host_str(), url.port_or_known_default()) {
+            eprintln!("To allow requests, add 'allowed_outbound_hosts = '[\"{host}:{port}\"]' to the manifest component section.");
+        }
+    }
+    is_allowed
+}
+
 /// Try to parse the url that may or not include the provided scheme.
 ///
 /// If the parsing fails, the url is appended with the scheme and parsing

crates/outbound-networking/src/lib.rs

@@ -12,10 +12,8 @@ anyhow = "1.0"
 redis = { version = "0.21", features = ["tokio-comp", "tokio-native-tls-comp"] }
 spin-app = { path = "../app" }
 spin-core = { path = "../core" }
-spin-locked-app = { path = "../locked-app" }
 spin-world = { path = "../world" }
 spin-outbound-networking = { path = "../outbound-networking" }
 table = { path = "../table" }
 tokio = { version = "1", features = ["sync"] }
 tracing = { workspace = true }
-terminal = { path = "../terminal" }

crates/outbound-redis/Cargo.toml

@@ -28,7 +28,7 @@ impl DynamicHostComponent for OutboundRedisComponent {
         component: &spin_app::AppComponent,
     ) -> anyhow::Result<()> {
         let hosts = component
-            .get_metadata(crate::ALLOWED_HOSTS_KEY)?
+            .get_metadata(spin_outbound_networking::ALLOWED_HOSTS_KEY)?
             .unwrap_or_default();
         data.allowed_hosts = hosts
             .map(|h| spin_outbound_networking::AllowedHosts::parse(&h[..]))

crates/outbound-redis/src/host_component.rs

@@ -3,15 +3,11 @@ mod host_component;
 use anyhow::Result;
 use redis::{aio::Connection, AsyncCommands, FromRedisValue, Value};
 use spin_core::{async_trait, wasmtime::component::Resource};
-use spin_locked_app::MetadataKey;
 use spin_world::v1::redis as v1;
 use spin_world::v2::redis::{
     self as v2, Connection as RedisConnection, Error, RedisParameter, RedisResult,
 };
 
-pub const ALLOWED_HOSTS_KEY: MetadataKey<Option<Vec<String>>> =
-    MetadataKey::new("allowed_outbound_hosts");
-
 pub use host_component::OutboundRedisComponent;
 
 struct RedisResults(Vec<RedisResult>);
@@ -50,27 +46,7 @@ impl Default for OutboundRedis {
 
 impl OutboundRedis {
     fn is_address_allowed(&self, address: &str, default: bool) -> bool {
-        let Ok(url) = spin_outbound_networking::parse_url_with_host(address, "redis") else {
-            terminal::warn!(
-                "A component tried to make a request to an address that could not be parsed as a url {address:?}."
-            );
-            return false;
-        };
-        let is_allowed = if let Some(allowed_hosts) = &self.allowed_hosts {
-            allowed_hosts.allows(url.clone())
-        } else {
-            default
-        };
-
-        if !is_allowed {
-            terminal::warn!(
-                "A component tried to make a request to non-allowed address {address:?}."
-            );
-            if let (Some(host), Some(port)) = (url.host_str(), url.port_or_known_default()) {
-                eprintln!("To allow requests, add 'allowed_outbound_hosts = '[\"{host}:{port}\"]' to the manifest component section.");
-            }
-        }
-        is_allowed
+        spin_outbound_networking::check_address(address, "redis", &self.allowed_hosts, default)
     }
 
     async fn establish_connection(

crates/outbound-redis/src/lib.rs

@@ -113,11 +113,14 @@ impl<Executor: TriggerExecutor> TriggerExecutorBuilder<Executor> {
             if !self.disable_default_host_components {
                 builder.link_import(|l, _| wasmtime_wasi_http::proxy::add_to_linker(l))?;
                 builder.add_host_component(outbound_pg::OutboundPg::default())?;
-                builder.add_host_component(outbound_mysql::OutboundMysql::default())?;
                 self.loader.add_dynamic_host_component(
                     &mut builder,
                     outbound_redis::OutboundRedisComponent,
                 )?;
+                self.loader.add_dynamic_host_component(
+                    &mut builder,
+                    outbound_mysql::OutboundMysql::default(),
+                )?;
                 self.loader.add_dynamic_host_component(
                     &mut builder,
                     runtime_config::llm::build_component(&runtime_config, init_data.llm.use_gpu)

crates/trigger/src/lib.rs

@@ -13,5 +13,6 @@ component = "rust-outbound-mysql"
 [component.rust-outbound-mysql]
 environment = { DB_URL = "mysql://spin:[email protected]/spin_dev" }
 source = "target/wasm32-wasi/release/rust_outbound_mysql.wasm"
+allowed_outbound_hosts = ["127.0.0.1:3306"]
 [component.rust-outbound-mysql.build]
 command = "cargo build --target wasm32-wasi --release"