Require user to add redis host to list of allowed listed hosts

Signed-off-by: Ryan Levick <[email protected]>

Author: rylev

Cargo.lock

@@ -114,6 +114,7 @@ impl LocalLoader {
         let metadata = ValuesMapBuilder::new()
             .string("description", component.description)
             .string_array("allowed_http_hosts", component.allowed_http_hosts)
+            .string_array("allowed_redis_hosts", component.allowed_redis_hosts)
             .string_array("key_value_stores", component.key_value_stores)
             .string_array("databases", component.sqlite_databases)
             .string_array("ai_models", component.ai_models)

crates/loader/src/local.rs

@@ -69,6 +69,7 @@ pub fn v1_to_v2_app(manifest: v1::AppManifestV1) -> Result<v2::AppManifest, Erro
                 sqlite_databases,
                 ai_models,
                 build: component.build,
+                allowed_redis_hosts: component.allowed_redis_hosts,
             },
         );
         triggers

crates/manifest/src/compat.rs

@@ -78,6 +78,9 @@ pub struct ComponentV1 {
     /// `allowed_http_hosts = ["example.com"]`
     #[serde(default)]
     pub allowed_http_hosts: Vec<String>,
+    /// `allowed_redis_hosts` = ["redis://redis.com:6379"]`
+    #[serde(default)]
+    pub allowed_redis_hosts: Vec<String>,
     /// `key_value_stores = ["default"]`
     #[serde(default)]
     pub key_value_stores: Vec<String>,

crates/manifest/src/schema/v1.rs

@@ -102,6 +102,9 @@ pub struct Component {
     /// `allowed_http_hosts = ["example.com"]`
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub allowed_http_hosts: Vec<String>,
+    /// `allowed_redis_hosts = ["myredishost.com"]`
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub allowed_redis_hosts: Vec<String>,
     /// `key_value_stores = ["default"]`
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub key_value_stores: Vec<SnakeId>,

crates/manifest/src/schema/v2.rs

@@ -10,8 +10,11 @@ doctest = false
 [dependencies]
 anyhow = "1.0"
 redis = { version = "0.21", features = ["tokio-comp", "tokio-native-tls-comp"] }
+spin-app = { path = "../app" }
 spin-core = { path = "../core" }
+spin-locked-app = { path = "../locked-app" }
 spin-world = { path = "../world" }
 table = { path = "../table" }
 tokio = { version = "1", features = ["sync"] }
 tracing = { workspace = true }
+terminal = { path = "../terminal" }

crates/outbound-redis/Cargo.toml

@@ -1,3 +1,4 @@
+use spin_app::DynamicHostComponent;
 use spin_core::HostComponent;
 
 use crate::OutboundRedis;
@@ -18,3 +19,17 @@ impl HostComponent for OutboundRedisComponent {
         Default::default()
     }
 }
+
+impl DynamicHostComponent for OutboundRedisComponent {
+    fn update_data(
+        &self,
+        data: &mut Self::Data,
+        component: &spin_app::AppComponent,
+    ) -> anyhow::Result<()> {
+        let hosts = component
+            .get_metadata(crate::ALLOWED_REDIS_HOSTS_KEY)?
+            .unwrap_or_default();
+        data.allowed_hosts.extend(hosts);
+        Ok(())
+    }
+}

crates/outbound-redis/src/host_component.rs

@@ -1,11 +1,17 @@
 mod host_component;
 
+use std::collections::HashSet;
+
 use anyhow::Result;
 use redis::{aio::Connection, AsyncCommands, FromRedisValue, Value};
 use spin_core::{async_trait, wasmtime::component::Resource};
+use spin_locked_app::MetadataKey;
 use spin_world::v1::redis::{self as v1, RedisParameter, RedisResult};
 use spin_world::v2::redis::{self as v2, Connection as RedisConnection, Error};
 
+pub const ALLOWED_REDIS_HOSTS_KEY: MetadataKey<Vec<String>> =
+    MetadataKey::new("allowed_redis_hosts");
+
 pub use host_component::OutboundRedisComponent;
 
 struct RedisResults(Vec<RedisResult>);
@@ -29,22 +35,24 @@ impl FromRedisValue for RedisResults {
 }
 
 pub struct OutboundRedis {
+    allowed_hosts: HashSet<String>,
     connections: table::Table<Connection>,
 }
 
 impl Default for OutboundRedis {
     fn default() -> Self {
         Self {
+            allowed_hosts: Default::default(),
             connections: table::Table::new(1024),
         }
     }
 }
 
-impl v2::Host for OutboundRedis {}
-
-#[async_trait]
-impl v2::HostConnection for OutboundRedis {
-    async fn open(&mut self, address: String) -> Result<Result<Resource<RedisConnection>, Error>> {
+impl OutboundRedis {
+    async fn establish_connection(
+        &mut self,
+        address: String,
+    ) -> Result<Result<Resource<RedisConnection>, Error>> {
         Ok(async {
             let conn = redis::Client::open(address.as_str())
                 .map_err(|_| Error::InvalidAddress)?
@@ -58,6 +66,23 @@ impl v2::HostConnection for OutboundRedis {
         }
         .await)
     }
+}
+
+impl v2::Host for OutboundRedis {}
+
+#[async_trait]
+impl v2::HostConnection for OutboundRedis {
+    async fn open(&mut self, address: String) -> Result<Result<Resource<RedisConnection>, Error>> {
+        if !self.allowed_hosts.contains(&address) {
+            terminal::warn!(
+                "A component tried to make a HTTP request to non-allowed address '{address}'."
+            );
+            eprintln!("To allow requests, add 'allowed_redis_hosts = [\"{address}\"]' to the manifest component section.");
+            return Ok(Err(Error::InvalidAddress));
+        }
+
+        self.establish_connection(address).await
+    }
 
     async fn publish(
         &mut self,
@@ -214,7 +239,7 @@ fn other_error(e: impl std::fmt::Display) -> Error {
 /// Delegate a function call to the v2::HostConnection implementation
 macro_rules! delegate {
     ($self:ident.$name:ident($address:expr, $($arg:expr),*)) => {{
-        let connection = match <Self as v2::HostConnection>::open($self, $address).await? {
+        let connection = match $self.establish_connection($address).await? {
             Ok(c) => c,
             Err(_) => return Ok(Err(v1::Error::Error)),
         };

crates/outbound-redis/src/lib.rs

@@ -112,9 +112,12 @@ impl<Executor: TriggerExecutor> TriggerExecutorBuilder<Executor> {
 
             if !self.disable_default_host_components {
                 builder.link_import(|l, _| wasmtime_wasi_http::proxy::add_to_linker(l))?;
-                builder.add_host_component(outbound_redis::OutboundRedisComponent)?;
                 builder.add_host_component(outbound_pg::OutboundPg::default())?;
                 builder.add_host_component(outbound_mysql::OutboundMysql::default())?;
+                self.loader.add_dynamic_host_component(
+                    &mut builder,
+                    outbound_redis::OutboundRedisComponent,
+                )?;
                 self.loader.add_dynamic_host_component(
                     &mut builder,
                     runtime_config::llm::build_component(&runtime_config, init_data.llm.use_gpu)

crates/trigger/src/lib.rs

@@ -8,6 +8,7 @@ version = "0.1.0"
 environment = { REDIS_ADDRESS = "redis://127.0.0.1:6379", REDIS_CHANNEL = "messages" }
 id = "outbound-redis"
 source = "target/wasm32-wasi/release/rust_outbound_redis.wasm"
+allowed_redis_hosts = ["redis://127.0.0.1:6379"]
 [component.trigger]
 route = "/publish"
 [component.build]