feat: enable wasi socket connections to hosts listed in allowed_hosts

2026-01-12 07:18:02 -05:00 · 2024-06-05 13:00:02 -07:00
1 changed files with 21 additions and 3 deletions
--- a/runtime/src/current_plugin.rs
+++ b/runtime/src/current_plugin.rs
@@ -314,9 +314,9 @@ impl CurrentPlugin {
            let mut ctx = wasmtime_wasi::WasiCtxBuilder::new();

            // Disable sockets/DNS lookup
-            ctx.allow_ip_name_lookup(false)
-                .allow_tcp(false)
-                .allow_udp(false)
+            ctx.allow_ip_name_lookup(true)
+                .allow_tcp(true)
+                .allow_udp(true)
                .allow_blocking_current_thread(true);

            if let Some(a) = &manifest.allowed_paths {
@@ -330,6 +330,24 @@ impl CurrentPlugin {
                }
            }

+            if let Some(h) = &manifest.allowed_hosts {
+                let h = h.clone();
+                ctx.socket_addr_check(move |addr, _kind| {
+                    for host in h.iter() {
+                        let addrs = std::net::ToSocketAddrs::to_socket_addrs(&host);
+                        if let Ok(addrs) = addrs {
+                            for a in addrs.into_iter() {
+                                if addr == &a {
+                                    return true;
+                                }
+                            }
+                        }
+                    }
+
+                    false
+                });
+            }
+
            // Enable WASI output, typically used for debugging purposes
            if std::env::var("EXTISM_ENABLE_WASI_OUTPUT").is_ok() {
                ctx.inherit_stdout().inherit_stderr();