heel 0.1.1

Cross-platform native sandboxing library for running untrusted code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

use std::collections::HashSet;
use std::future::Future;
use std::marker::PhantomData;

/// Direction of a network connection
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ConnectionDirection {
    Inbound,
    Outbound,
}

/// Information about a network access request
#[derive(Debug, Clone)]
pub struct DomainRequest {
    target: String,
    port: u16,
    direction: ConnectionDirection,
    pid: u32,
}

impl DomainRequest {
    /// Create a new domain request.
    pub fn new(target: String, port: u16, direction: ConnectionDirection, pid: u32) -> Self {
        Self {
            target,
            port,
            direction,
            pid,
        }
    }

    /// The domain or IP being accessed
    pub fn target(&self) -> &str {
        &self.target
    }

    /// The port number
    pub fn port(&self) -> u16 {
        self.port
    }

    /// The direction of the connection
    pub fn direction(&self) -> ConnectionDirection {
        self.direction
    }

    /// The process ID making the request
    pub fn pid(&self) -> u32 {
        self.pid
    }
}

/// Async network policy trait - determines if a connection is allowed
pub trait NetworkPolicy: Send + Sync + 'static {
    /// Check if a network request should be allowed
    fn check(&self, request: &DomainRequest) -> impl Future<Output = bool> + Send;
}

/// Deny all network access (default policy)
#[derive(Debug, Clone, Copy, Default)]
pub struct DenyAll;

impl NetworkPolicy for DenyAll {
    async fn check(&self, _request: &DomainRequest) -> bool {
        false
    }
}

/// Allow all network access
#[derive(Debug, Clone, Copy)]
pub struct AllowAll;

impl NetworkPolicy for AllowAll {
    async fn check(&self, _request: &DomainRequest) -> bool {
        true
    }
}

/// Allow access to specific domains only
pub struct AllowList {
    allowed: HashSet<String>,
}

impl AllowList {
    /// Create a new allow list from an iterator of domains
    pub fn new(domains: impl IntoIterator<Item = impl Into<String>>) -> Self {
        Self {
            allowed: domains.into_iter().map(Into::into).collect(),
        }
    }

    /// Check if a domain matches the allow list
    fn matches(&self, target: &str) -> bool {
        // Exact match
        if self.allowed.contains(target) {
            return true;
        }

        // Subdomain match (e.g., "api.example.com" matches "*.example.com")
        for allowed in &self.allowed {
            if allowed.starts_with("*.") {
                let suffix = &allowed[1..]; // ".example.com"
                if target.ends_with(suffix) {
                    return true;
                }
            }
        }

        false
    }
}

impl NetworkPolicy for AllowList {
    async fn check(&self, request: &DomainRequest) -> bool {
        self.matches(request.target())
    }
}

/// Custom async policy with user-provided handler function
pub struct CustomPolicy<F, Fut>
where
    F: Fn(&DomainRequest) -> Fut + Send + Sync + 'static,
    Fut: Future<Output = bool> + Send + 'static,
{
    handler: F,
    _marker: PhantomData<fn() -> Fut>,
}

impl<F, Fut> CustomPolicy<F, Fut>
where
    F: Fn(&DomainRequest) -> Fut + Send + Sync + 'static,
    Fut: Future<Output = bool> + Send + 'static,
{
    /// Create a new custom policy with the given handler function
    pub fn new(handler: F) -> Self {
        Self {
            handler,
            _marker: PhantomData,
        }
    }
}

impl<F, Fut> NetworkPolicy for CustomPolicy<F, Fut>
where
    F: Fn(&DomainRequest) -> Fut + Send + Sync + 'static,
    Fut: Future<Output = bool> + Send + 'static,
{
    async fn check(&self, request: &DomainRequest) -> bool {
        (self.handler)(request).await
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_deny_all() {
        smol::block_on(async {
            let policy = DenyAll;
            let request = DomainRequest::new(
                "example.com".to_string(),
                443,
                ConnectionDirection::Outbound,
                1234,
            );

            assert!(!policy.check(&request).await);
        });
    }

    #[test]
    fn test_allow_all() {
        smol::block_on(async {
            let policy = AllowAll;
            let request = DomainRequest::new(
                "example.com".to_string(),
                443,
                ConnectionDirection::Outbound,
                1234,
            );

            assert!(policy.check(&request).await);
        });
    }

    #[test]
    fn test_allow_list_exact() {
        let policy = AllowList::new(["example.com", "api.test.com"]);

        assert!(policy.matches("example.com"));
        assert!(policy.matches("api.test.com"));
        assert!(!policy.matches("other.com"));
        assert!(!policy.matches("sub.example.com"));
    }

    #[test]
    fn test_allow_list_wildcard() {
        let policy = AllowList::new(["*.example.com"]);

        assert!(policy.matches("api.example.com"));
        assert!(policy.matches("sub.api.example.com"));
        assert!(!policy.matches("example.com")); // Exact domain not matched by wildcard
        assert!(!policy.matches("other.com"));
    }
}