heel 0.1.1

Cross-platform native sandboxing library for running untrusted code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

//! Test network proxy filtering with AllowList policy
//!
//! This example demonstrates how to create a sandbox with network filtering
//! that only allows access to specific domains.

use heel::{AllowList, Result, Sandbox, SandboxConfig};

#[tokio::main]
async fn main() -> Result<()> {
    tracing_subscriber::fmt::init();

    // Create an AllowList policy that only allows httpbin.org
    let policy = AllowList::new(["httpbin.org", "*.httpbin.org"]);

    // Create sandbox with the network policy
    let config = SandboxConfig::builder().network(policy).build()?;

    let sandbox = Sandbox::with_config(config).await?;
    println!("Sandbox created with proxy at: {}", sandbox.proxy_url());

    // Test with curl using the proxy (via sandbox command)
    println!("\n--- Testing allowed domain (httpbin.org) ---");
    let output = sandbox
        .command("curl")
        .args([
            "-s",
            "-o",
            "/dev/null",
            "-w",
            "%{http_code}",
            "http://httpbin.org/get",
        ])
        .output()
        .await?;
    println!(
        "httpbin.org result: exit={}, http_code={}",
        output.status,
        String::from_utf8_lossy(&output.stdout)
    );

    println!("\n--- Testing blocked domain (example.com) ---");
    let output = sandbox
        .command("curl")
        .args([
            "-s",
            "-o",
            "/dev/null",
            "-w",
            "%{http_code}",
            "http://example.com",
        ])
        .output()
        .await?;
    println!(
        "example.com result: exit={}, http_code={}",
        output.status,
        String::from_utf8_lossy(&output.stdout)
    );

    println!("\n--- Testing HTTPS to allowed domain ---");
    let output = sandbox
        .command("curl")
        .args([
            "-s",
            "-o",
            "/dev/null",
            "-w",
            "%{http_code}",
            "https://httpbin.org/get",
        ])
        .output()
        .await?;
    println!(
        "HTTPS httpbin.org: exit={}, http_code={}",
        output.status,
        String::from_utf8_lossy(&output.stdout)
    );

    println!("\n--- Testing HTTPS to blocked domain ---");
    let output = sandbox
        .command("curl")
        .args([
            "-s",
            "-o",
            "/dev/null",
            "-w",
            "%{http_code}",
            "https://example.com",
        ])
        .output()
        .await?;
    println!(
        "HTTPS example.com: exit={}, http_code={}",
        output.status,
        String::from_utf8_lossy(&output.stdout)
    );

    println!("\nSandbox will be dropped (proxy stops, working dir cleaned)");

    Ok(())
}