mlua-batteries 0.3.0

Batteries-included standard library modules for mlua
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! HTTP URL access policy.

use super::{PolicyError, Unrestricted};

/// Policy that decides whether a given URL may be accessed.
///
/// Every function in the `http` module calls [`HttpPolicy::check_url`]
/// before making a request.
///
/// # Built-in implementations
///
/// | Type | Behaviour |
/// |------|-----------|
/// | [`Unrestricted`] | No checks (default) |
/// | [`HttpAllowList`] | Allow only listed host patterns |
///
/// # Custom implementations
///
/// ```rust,no_run
/// use mlua_batteries::policy::{HttpPolicy, PolicyError};
///
/// struct BlockInternal;
///
/// impl HttpPolicy for BlockInternal {
///     fn check_url(&self, url: &str, method: &str) -> Result<(), PolicyError> {
///         if url.contains("169.254.") || url.contains("localhost") {
///             Err(PolicyError::new(format!("{method} denied: internal URL '{url}'")))
///         } else {
///             Ok(())
///         }
///     }
/// }
/// ```
pub trait HttpPolicy: Send + Sync + 'static {
    /// Human-readable name for this policy, used in `Debug` output.
    ///
    /// The default implementation returns [`std::any::type_name`] of the
    /// concrete type, which works correctly even through trait objects
    /// because the vtable dispatches to the concrete implementation.
    fn policy_name(&self) -> &'static str {
        std::any::type_name::<Self>()
    }

    /// Validate `url` for `method` (e.g. "GET", "POST").
    ///
    /// Return `Ok(())` to allow, `Err(reason)` to deny.
    fn check_url(&self, url: &str, method: &str) -> Result<(), PolicyError>;
}

impl HttpPolicy for Unrestricted {
    fn check_url(&self, _url: &str, _method: &str) -> Result<(), PolicyError> {
        Ok(())
    }
}

/// Allow only requests to hosts matching the given patterns.
///
/// Matching is performed against the **host portion** of the URL only.
/// The URL is parsed to extract the host (stripping scheme, userinfo,
/// port, path, query, and fragment) before matching.
///
/// Patterns are matched as exact or suffix of the host — e.g.
/// `"example.com"` matches `https://example.com/path` and
/// `https://api.example.com/path` but does **not** match
/// `https://notexample.com/path` or `https://evil.com/?ref=example.com`.
///
/// # Security
///
/// Previous versions matched against the full URL string, which allowed
/// bypass via query parameters or path segments. This implementation
/// extracts the host and matches only against it.
///
/// ```rust,no_run
/// use mlua_batteries::policy::HttpAllowList;
///
/// let policy = HttpAllowList::new(["api.example.com", "httpbin.org"]);
/// ```
#[derive(Debug)]
pub struct HttpAllowList {
    allowed_hosts: Vec<String>,
}

impl HttpAllowList {
    /// Create an allow-list from host patterns.
    pub fn new<I, S>(hosts: I) -> Self
    where
        I: IntoIterator<Item = S>,
        S: Into<String>,
    {
        Self {
            allowed_hosts: hosts.into_iter().map(Into::into).collect(),
        }
    }
}

impl HttpPolicy for HttpAllowList {
    fn check_url(&self, url: &str, method: &str) -> Result<(), PolicyError> {
        let host = extract_url_host(url).unwrap_or("");
        if self
            .allowed_hosts
            .iter()
            .any(|pattern| host_matches(host, pattern))
        {
            Ok(())
        } else {
            Err(PolicyError::new(format!(
                "{method} denied: URL '{url}' does not match any allowed host"
            )))
        }
    }
}

/// Check if `host` matches `pattern` by exact match or as a subdomain.
///
/// `"example.com"` matches `"example.com"` and `"sub.example.com"`
/// but **not** `"notexample.com"`.
///
/// Uses zero-allocation byte comparison instead of `format!`.
fn host_matches(host: &str, pattern: &str) -> bool {
    host == pattern
        || (host.len() > pattern.len()
            && host.as_bytes()[host.len() - pattern.len() - 1] == b'.'
            && host.ends_with(pattern))
}

/// Extract the host portion from a URL string.
///
/// Handles the standard URL format: `scheme://[userinfo@]host[:port]/path...`
///
/// - Strips scheme (`http://`, `https://`)
/// - Strips userinfo (`user:pass@`)
/// - Strips port (`:8080`)
/// - Strips path, query, and fragment
/// - Handles IPv6 addresses (`[::1]`)
///
/// Returns `None` if the URL has no `://` separator.
pub(super) fn extract_url_host(url: &str) -> Option<&str> {
    let after_scheme = url.find("://").map(|i| i + 3)?;
    let rest = &url[after_scheme..];

    // Authority ends at the first `/`, `?`, or `#`
    let authority_end = rest.find(['/', '?', '#']).unwrap_or(rest.len());
    let authority = &rest[..authority_end];

    // Strip userinfo (everything before the last `@`)
    let host_start = authority.rfind('@').map(|i| i + 1).unwrap_or(0);
    let host_part = &authority[host_start..];

    if host_part.starts_with('[') {
        // IPv6: [::1]:8080 → ::1
        host_part.find(']').map(|i| &host_part[1..i])
    } else {
        // Strip port: example.com:8080 → example.com
        Some(host_part.split(':').next().unwrap_or(host_part))
    }
}