zendriver-interception 0.3.2

Network interception (Fetch.* CDP domain) for zendriver
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Host-set matcher for the tracker/fingerprinter blocklist.
//!
//! [`HostMatcher`] holds a set of domain names and answers [`is_blocked`]
//! queries with a suffix-on-dot walk: `a.b.evil.com` is blocked if
//! `evil.com` (or any ancestor) is in the set.
//!
//! [`host_of`] extracts the host component from a raw URL string without
//! requiring a URL-parsing dependency — it handles the common `scheme://host`
//! prefix and strips any trailing port + path.
//!
//! [`is_blocked`]: HostMatcher::is_blocked

use std::collections::HashSet;

/// A compiled set of blocked host names with subdomain-walk semantics.
///
/// Constructed once from a domain list, then shared (via [`Arc`]) across
/// rule evaluations per request.
///
/// [`Arc`]: std::sync::Arc
#[derive(Debug, Clone)]
pub struct HostMatcher {
    /// Canonicalized (ASCII-lowercased) host names.
    blocked: HashSet<String>,
}

impl HostMatcher {
    /// Build a matcher from an iterator of domain strings.
    ///
    /// Each entry is lowercased and leading/trailing whitespace stripped.
    /// Blank entries and those starting with `#` (comments) are silently
    /// ignored so the caller can pass lines from a plain-text host list
    /// directly.
    pub fn new(domains: impl IntoIterator<Item = String>) -> Self {
        let blocked = domains
            .into_iter()
            .map(|s| s.trim().trim_end_matches('.').to_ascii_lowercase())
            .filter(|s| !s.is_empty() && !s.starts_with('#'))
            .collect();
        Self { blocked }
    }

    /// Number of distinct blocked host names.
    pub fn len(&self) -> usize {
        self.blocked.len()
    }

    /// Returns `true` if no hosts are blocked.
    pub fn is_empty(&self) -> bool {
        self.blocked.is_empty()
    }

    /// Returns `true` if `host` is blocked.
    ///
    /// Matching is suffix-on-dot: `a.b.evil.com` is blocked when `evil.com`
    /// (or any ancestor up to the bare root) is in the set.
    ///
    /// - Exact match first.
    /// - Then strips the leftmost label repeatedly until a match or exhausted.
    ///
    /// `host` is compared case-insensitively.
    pub fn is_blocked(&self, host: &str) -> bool {
        let host = host.trim().trim_end_matches('.').to_ascii_lowercase();
        let mut cursor: &str = &host;
        loop {
            if self.blocked.contains(cursor) {
                return true;
            }
            // Strip the leftmost label (up to and including the first dot).
            match cursor.find('.') {
                Some(pos) => cursor = &cursor[pos + 1..],
                None => return false,
            }
        }
    }
}

/// Extract the host component from a raw URL string.
///
/// Handles the common `scheme://authority/path` form: strips everything up
/// to and including `://`, then takes the authority portion (up to the first
/// `/`, `?`, or `#`). Trims a trailing port (`:NNN`).
///
/// Returns `None` when no `://` separator is present (malformed or
/// non-standard URL).
pub fn host_of(url: &str) -> Option<&str> {
    // Find scheme-authority boundary.
    let after_scheme = url.split_once("://")?.1;
    // Authority ends at the first `/`, `?`, or `#`.
    let authority = match after_scheme.find(['/', '?', '#']) {
        Some(pos) => &after_scheme[..pos],
        None => after_scheme,
    };
    // Strip userinfo (`user:pass@host`).
    let host_and_port = match authority.rfind('@') {
        Some(pos) => &authority[pos + 1..],
        None => authority,
    };
    // Strip port, but be careful with IPv6 literals like `[::1]:8080`.
    let host = if host_and_port.starts_with('[') {
        // IPv6: authority is `[addr]` or `[addr]:port` — keep the brackets.
        match host_and_port.find(']') {
            Some(pos) => &host_and_port[..=pos],
            None => host_and_port,
        }
    } else {
        match host_and_port.rfind(':') {
            Some(pos) => &host_and_port[..pos],
            None => host_and_port,
        }
    };
    Some(host)
}

#[cfg(test)]
#[allow(clippy::panic, clippy::unwrap_used)]
mod tests {
    use super::*;

    // --- HostMatcher ----------------------------------------------------------

    #[test]
    fn exact_match_blocked() {
        let m = HostMatcher::new(["evil.com".to_string()]);
        assert!(m.is_blocked("evil.com"));
    }

    #[test]
    fn subdomain_of_listed_domain_is_blocked() {
        let m = HostMatcher::new(["evil.com".to_string()]);
        assert!(m.is_blocked("tracker.evil.com"));
        assert!(m.is_blocked("a.b.tracker.evil.com"));
    }

    #[test]
    fn unrelated_host_not_blocked() {
        let m = HostMatcher::new(["evil.com".to_string()]);
        assert!(!m.is_blocked("good.com"));
        assert!(!m.is_blocked("notevil.com"));
        // suffix match must be on a dot boundary
        assert!(!m.is_blocked("totallyevil.com"));
    }

    #[test]
    fn bare_root_in_set_blocks_all_subdomains() {
        // if someone lists a TLD or bare root (unusual but valid)
        let m = HostMatcher::new(["example.com".to_string()]);
        assert!(m.is_blocked("example.com"));
        assert!(m.is_blocked("sub.example.com"));
    }

    #[test]
    fn case_insensitive_match() {
        let m = HostMatcher::new(["Evil.Com".to_string()]);
        assert!(m.is_blocked("EVIL.COM"));
        assert!(m.is_blocked("Tracker.Evil.Com"));
    }

    #[test]
    fn empty_matcher_blocks_nothing() {
        let m = HostMatcher::new(std::iter::empty());
        assert!(!m.is_blocked("evil.com"));
    }

    #[test]
    fn comment_and_blank_lines_ignored() {
        let lines = vec![
            "# this is a comment".to_string(),
            "".to_string(),
            "  ".to_string(),
            "tracker.example.com".to_string(),
            "# another comment".to_string(),
        ];
        let m = HostMatcher::new(lines);
        assert!(m.is_blocked("tracker.example.com"));
        assert!(!m.is_blocked("example.com")); // only the exact entry, not parent
    }

    #[test]
    fn single_label_host_no_infinite_loop() {
        // A host with no dot should not match and must not loop forever.
        let m = HostMatcher::new(["localhost".to_string()]);
        assert!(m.is_blocked("localhost"));
        // A different single-label host misses cleanly.
        assert!(!m.is_blocked("otherhost"));
    }

    // --- host_of --------------------------------------------------------------

    #[test]
    fn host_of_simple_url() {
        assert_eq!(host_of("https://example.com/path"), Some("example.com"));
    }

    #[test]
    fn host_of_with_port() {
        assert_eq!(host_of("http://example.com:8080/path"), Some("example.com"));
    }

    #[test]
    fn host_of_no_path() {
        assert_eq!(host_of("https://example.com"), Some("example.com"));
    }

    #[test]
    fn host_of_with_query() {
        assert_eq!(host_of("https://example.com?foo=bar"), Some("example.com"));
    }

    #[test]
    fn host_of_with_fragment() {
        assert_eq!(host_of("https://example.com#section"), Some("example.com"));
    }

    #[test]
    fn host_of_missing_scheme_separator() {
        assert_eq!(host_of("not-a-url"), None);
    }

    #[test]
    fn host_of_ipv6() {
        assert_eq!(host_of("https://[::1]:443/path"), Some("[::1]"));
    }

    #[test]
    fn host_of_with_userinfo() {
        assert_eq!(
            host_of("https://user:pass@example.com/path"),
            Some("example.com")
        );
    }

    // --- Integration: host_of + HostMatcher -----------------------------------

    #[test]
    fn is_blocked_using_host_of() {
        let m = HostMatcher::new(["fingerprinter.io".to_string()]);
        let url = "https://cdn.fingerprinter.io/track.js?v=1";
        let host = host_of(url).expect("host_of returned None");
        assert!(m.is_blocked(host));
    }
}