Merge pull request #1933 from fermyon/require-allow-listed-host-redis

Require user to add redis host to list of allowed listed hosts

Author: rylev

Cargo.lock

@@ -16,6 +16,7 @@ itertools = "0.10.3"
 lazy_static = "1.4.0"
 mime_guess = { version = "2.0" }
 outbound-http = { path = "../outbound-http", default-features = false }
+spin-outbound-networking = { path = "../outbound-networking" }
 path-absolutize = "3.0.11"
 regex = "1.5.4"
 reqwest = "0.11.9"
@@ -30,7 +31,7 @@ spin-manifest = { path = "../manifest" }
 tempfile = "3.8.0"
 terminal = { path = "../terminal" }
 thiserror = "1.0.49"
-tokio = { version = "1.23", features = [ "full" ] }
+tokio = { version = "1.23", features = ["full"] }
 tokio-util = "0.6"
 toml = "0.8.2"
 tracing = { workspace = true }
@@ -43,4 +44,4 @@ ui-testing = { path = "../ui-testing" }
 [[test]]
 name = "ui"
 path = "tests/ui.rs"
-harness = false
+harness = false

crates/loader/Cargo.toml

@@ -111,9 +111,14 @@ impl LocalLoader {
         component: v2::Component,
     ) -> Result<LockedComponent> {
         outbound_http::allowed_http_hosts::parse_allowed_http_hosts(&component.allowed_http_hosts)?;
+        if let Some(hosts) = &component.allowed_outbound_hosts {
+            spin_outbound_networking::AllowedHosts::parse(hosts)
+                .context("`allowed_outbound_hosts` is malformed")?;
+        }
         let metadata = ValuesMapBuilder::new()
             .string("description", component.description)
             .string_array("allowed_http_hosts", component.allowed_http_hosts)
+            .string_array_option("allowed_outbound_hosts", component.allowed_outbound_hosts)
             .string_array("key_value_stores", component.key_value_stores)
             .string_array("databases", component.sqlite_databases)
             .string_array("ai_models", component.ai_models)

crates/loader/src/local.rs

@@ -28,7 +28,8 @@
         "allowed_http_hosts": [
           "insecure:allow-all",
           "random-data-api.fermyon.app"
-        ]
+        ],
+        "allowed_outbound_hosts": null
       },
       "source": {
         "content_type": "application/wasm",

crates/loader/tests/ui/insecure-allow-all-with-invalid-url.lock

@@ -32,6 +32,9 @@
   "components": [
     {
       "id": "hello",
+      "metadata": {
+        "allowed_outbound_hosts": null
+      },
       "source": {
         "content_type": "application/wasm",
         "source": "file://<test-dir>/wasm/dummy.wasm"

crates/loader/tests/ui/invalid-manifest-duplicate-id.lock

@@ -49,6 +49,9 @@
   "components": [
     {
       "id": "four-lights",
+      "metadata": {
+        "allowed_outbound_hosts": null
+      },
       "source": {
         "content_type": "application/wasm",
         "source": "file://<test-dir>/wasm/dummy.wasm"
@@ -60,13 +63,19 @@
     },
     {
       "id": "old-test",
+      "metadata": {
+        "allowed_outbound_hosts": null
+      },
       "source": {
         "content_type": "application/wasm",
         "source": "file://<test-dir>/wasm/dummy.wasm"
       }
     },
     {
       "id": "web",
+      "metadata": {
+        "allowed_outbound_hosts": null
+      },
       "source": {
         "content_type": "application/wasm",
         "source": "file://<cache-dir>/spin/registry/wasm/sha256:0000000000000000000000000000000000000000000000000000000000000000"

crates/loader/tests/ui/valid-manifest.lock

@@ -30,6 +30,9 @@
   "components": [
     {
       "id": "fs",
+      "metadata": {
+        "allowed_outbound_hosts": null
+      },
       "source": {
         "content_type": "application/wasm",
         "source": "file://<test-dir>/spin-fs.wasm"

crates/loader/tests/ui/valid-with-files/spin.lock

@@ -31,6 +31,9 @@
   "components": [
     {
       "id": "fs",
+      "metadata": {
+        "allowed_outbound_hosts": null
+      },
       "source": {
         "content_type": "application/wasm",
         "source": "file://<test-dir>/wasm/dummy.wasm"

crates/loader/tests/ui/wagi-custom-entrypoint.lock

@@ -58,6 +58,20 @@ impl ValuesMapBuilder {
         self.entry(key, entries)
     }
 
+    /// Inserts an optional list of strings
+    pub fn string_array_option(
+        &mut self,
+        key: impl Into<String>,
+        value: Option<impl IntoIterator<Item = impl Into<String>>>,
+    ) -> &mut Self {
+        if let Some(value) = value {
+            let entries = value.into_iter().map(|s| s.into()).collect::<Vec<_>>();
+            self.entry(key, entries)
+        } else {
+            self.entry(key, Value::Null)
+        }
+    }
+
     /// Inserts an entry into the map using the value's `impl Into<Value>`.
     pub fn entry(&mut self, key: impl Into<String>, value: impl Into<Value>) -> &mut Self {
         self.0.insert(key.into(), value.into());

crates/locked-app/src/values.rs

@@ -69,6 +69,7 @@ pub fn v1_to_v2_app(manifest: v1::AppManifestV1) -> Result<v2::AppManifest, Erro
                 sqlite_databases,
                 ai_models,
                 build: component.build,
+                allowed_outbound_hosts: component.allowed_outbound_hosts,
             },
         );
         triggers