Block procedures from requesting private ip ranges (#4243)

joshua-spacetime · web-flow · commit 2d656d49b61d · 2026-02-11T05:27:12.000Z
# Description of Changes

Blocks procedures from requesting private ip ranges after dns
resolution.

Adds a new cargo feature to `spacetimedb-standalone` permitting loopback
http requests in test environments only.

# API and ABI breaking changes

None

# Expected complexity level and risk

2. I may have missed a range.

# Testing

- [x] Unit tests for IP address matching
- [x] Smoketests for blocking a private IP address
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -903,7 +903,7 @@ jobs:
           export CARGO_HOME="$HOME/.cargo"
           echo "$CARGO_HOME/bin" >> "$GITHUB_PATH"
           cargo install --force --path crates/cli --locked --message-format=short
-          cargo install --force --path crates/standalone --locked --message-format=short
+          cargo install --force --path crates/standalone --features allow_loopback_http_for_tests --locked --message-format=short
           # Add a handy alias using the old binary name, so that we don't have to rewrite all scripts (incl. in submodules).
           ln -sf $CARGO_HOME/bin/spacetimedb-cli $CARGO_HOME/bin/spacetime
 
diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml
@@ -137,6 +137,9 @@ nix = { workspace = true, features = ["sched"] }
 # Print a warning when doing an unindexed `iter_by_col_range` on a large table.
 unindexed_iter_by_col_range_warn = []
 default = ["unindexed_iter_by_col_range_warn"]
+# Test-only escape hatch used by SDK procedure tests that intentionally call `localhost`.
+# Keep this off in production builds.
+allow_loopback_http_for_tests = []
 # Enable timing for wasm ABI calls
 spacetimedb-wasm-instance-env-times = []
 # Enable test helpers and utils
diff --git a/crates/core/src/host/instance_env.rs b/crates/core/src/host/instance_env.rs
diff --git a/crates/guard/src/lib.rs b/crates/guard/src/lib.rs
@@ -79,7 +79,7 @@ pub fn ensure_binaries_built() -> PathBuf {
                     \n\
                     Or build manually:\n\
                     \n\
-                    cargo build -p spacetimedb-cli -p spacetimedb-standalone\n\
+                    cargo build -p spacetimedb-cli -p spacetimedb-standalone --features spacetimedb-standalone/allow_loopback_http_for_tests\n\
                     ========================================================================\n",
                     cli_path.display()
                 );
diff --git a/crates/smoketests/DEVELOP.md b/crates/smoketests/DEVELOP.md
@@ -30,7 +30,7 @@ you MUST rebuild before running tests:
 cargo smoketest
 
 # Option 2: Manually rebuild, then run tests directly
-cargo build -p spacetimedb-cli -p spacetimedb-standalone
+cargo build -p spacetimedb-cli -p spacetimedb-standalone --features spacetimedb-standalone/allow_loopback_http_for_tests
 cargo nextest run -p spacetimedb-smoketests
 ```
 
@@ -54,7 +54,7 @@ Pre-building avoids this entirely.
 Standard `cargo test` also works, but you must rebuild first:
 
 ```bash
-cargo build -p spacetimedb-cli -p spacetimedb-standalone
+cargo build -p spacetimedb-cli -p spacetimedb-standalone --features spacetimedb-standalone/allow_loopback_http_for_tests
 cargo test -p spacetimedb-smoketests
 ```
 
diff --git a/crates/smoketests/tests/http_egress.rs b/crates/smoketests/tests/http_egress.rs
@@ -0,0 +1,103 @@
+use std::io::Write;
+use std::net::TcpListener;
+use std::thread::JoinHandle;
+use std::time::{Duration, Instant};
+
+use spacetimedb_smoketests::Smoketest;
+
+fn module_code_http_disallowed_ip(addr: &str, port: u16) -> String {
+    format!(
+        r#"
+use spacetimedb::ProcedureContext;
+
+#[spacetimedb::procedure]
+pub fn request_disallowed_ip(ctx: &mut ProcedureContext) -> Result<(), String> {{
+    match ctx.http.get("http://{addr}:{port}/") {{
+        Ok(_) => Err("request unexpectedly succeeded".to_owned()),
+        Err(err) => {{
+            let message = err.to_string();
+            if message.contains("refusing to connect to private or special-purpose addresses") {{
+                Ok(())
+            }} else {{
+                Err(format!("unexpected error from http request: {{message}}"))
+            }}
+        }}
+    }}
+}}
+"#
+    )
+}
+
+fn spawn_redirect_server(location: &str) -> (u16, JoinHandle<std::io::Result<()>>) {
+    let listener = TcpListener::bind(("127.0.0.1", 0)).expect("failed to bind test redirect server");
+    listener
+        .set_nonblocking(true)
+        .expect("failed to set test redirect server nonblocking mode");
+    let port = listener
+        .local_addr()
+        .expect("failed to read test redirect server address")
+        .port();
+    let location = location.to_owned();
+    let handle = std::thread::spawn(move || -> std::io::Result<()> {
+        let deadline = Instant::now() + Duration::from_secs(10);
+        let (mut stream, _) = loop {
+            match listener.accept() {
+                Ok(pair) => break pair,
+                Err(err) if err.kind() == std::io::ErrorKind::WouldBlock => {
+                    if Instant::now() >= deadline {
+                        return Err(std::io::Error::new(
+                            std::io::ErrorKind::TimedOut,
+                            "redirect test server did not receive a request; rebuild standalone with allow_loopback_http_for_tests",
+                        ));
+                    }
+                    std::thread::sleep(Duration::from_millis(10));
+                }
+                Err(err) => return Err(err),
+            }
+        };
+        let response =
+            format!("HTTP/1.1 302 Found\r\nLocation: {location}\r\nContent-Length: 0\r\nConnection: close\r\n\r\n");
+        stream.write_all(response.as_bytes())?;
+        stream.flush()?;
+        Ok(())
+    });
+    (port, handle)
+}
+
+#[test]
+fn test_http_disallowed_ip_is_blocked() {
+    let module_code = module_code_http_disallowed_ip("10.0.0.1", 80);
+    let test = Smoketest::builder().module_code(&module_code).build();
+
+    let output = test.call_output("request_disallowed_ip", &[]);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(
+        output.status.success(),
+        "Expected request_disallowed_ip to succeed after observing blocked egress error.\nstdout:\n{}\nstderr:\n{}",
+        stdout,
+        stderr
+    );
+}
+
+#[test]
+fn test_http_redirect_to_disallowed_ip_is_blocked() {
+    let (port, redirect_server) = spawn_redirect_server("http://10.0.0.1:80/");
+    let module_code = module_code_http_disallowed_ip("localhost", port);
+    let test = Smoketest::builder().module_code(&module_code).build();
+
+    let output = test.call_output("request_disallowed_ip", &[]);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(
+        output.status.success(),
+        "Expected request_disallowed_ip to succeed after observing blocked egress error.\nstdout:\n{}\nstderr:\n{}",
+        stdout,
+        stderr
+    );
+
+    redirect_server
+        .join()
+        .expect("redirect test server thread panicked")
+        .expect("redirect test server failed");
+}
diff --git a/crates/smoketests/tests/mod.rs b/crates/smoketests/tests/mod.rs
@@ -18,6 +18,7 @@ pub mod domains;
 pub mod energy;
 pub mod fail_initial_publish;
 pub mod filtering;
+pub mod http_egress;
 pub mod module_nested_op;
 pub mod modules;
 pub mod namespaces;
diff --git a/crates/standalone/Cargo.toml b/crates/standalone/Cargo.toml
@@ -18,6 +18,7 @@ required-features = [] # Features required to build this target (N/A for lib)
 
 [features]
 unstable = ["spacetimedb-client-api/unstable"]
+allow_loopback_http_for_tests = ["spacetimedb-core/allow_loopback_http_for_tests"]
 # Perfmaps for profiling modules
 perfmap = ["spacetimedb-core/perfmap"]
 # Disables core pinning
diff --git a/crates/testing/Cargo.toml b/crates/testing/Cargo.toml
@@ -5,6 +5,9 @@ edition.workspace = true
 license-file = "LICENSE"
 publish = false
 
+[features]
+allow_loopback_http_for_tests = ["spacetimedb-standalone/allow_loopback_http_for_tests"]
+
 [dependencies]
 spacetimedb-cli.workspace = true
 spacetimedb-data-structures.workspace = true
diff --git a/sdks/rust/Cargo.toml b/sdks/rust/Cargo.toml
@@ -8,6 +8,9 @@ rust-version.workspace = true
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
+[features]
+allow_loopback_http_for_tests = ["spacetimedb-testing/allow_loopback_http_for_tests"]
+
 [dependencies]
 spacetimedb-data-structures.workspace = true
 spacetimedb-sats.workspace = true
diff --git a/tools/ci/src/main.rs b/tools/ci/src/main.rs
@@ -311,6 +311,22 @@ fn main() -> Result<()> {
                 "--all",
                 "--exclude",
                 "spacetimedb-smoketests",
+                "--exclude",
+                "spacetimedb-sdk",
+                "--",
+                "--test-threads=2",
+                "--skip",
+                "unreal"
+            )
+            .run()?;
+            // SDK procedure tests intentionally make localhost HTTP requests.
+            cmd!(
+                "cargo",
+                "test",
+                "-p",
+                "spacetimedb-sdk",
+                "--features",
+                "allow_loopback_http_for_tests",
                 "--",
                 "--test-threads=2",
                 "--skip",
diff --git a/tools/ci/src/smoketest.rs b/tools/ci/src/smoketest.rs
@@ -59,6 +59,8 @@ fn build_binaries() -> Result<()> {
         "spacetimedb-cli",
         "-p",
         "spacetimedb-standalone",
+        "--features",
+        "spacetimedb-standalone/allow_loopback_http_for_tests",
     ]);
 
     // Remove cargo/rust env vars that could cause fingerprint mismatches
