feat(cli): allow-CIDR over DNS-resolved IPs

Close the symmetry gap with deny-CIDR. mode=Allowlist with only
allow-CIDR rules (no matching host rule) now works for named-host
URIs: the HTTP layer defers to the DNS resolver, which drops resolved
IPs not covered by any allow-CIDR. Host-anchored allow rules still
short-circuit — if the hostname itself matches, all resolved IPs are
kept regardless of CIDR rules.

decide_uri(): for named hosts with no direct match but at least one
allow-CIDR rule, return Allow and let the resolver filter. IP-literal
URIs still get fully checked at the HTTP layer (DNS never runs).

PolicyDnsResolver: carries allow rules + mode; per-IP keep rule is
"no deny-CIDR match AND (host-match OR allow-CIDR match)" in
Allowlist mode with allow-CIDR rules; plain deny-CIDR filter in all
other modes.

Adds two unit tests in http_client.rs (DNS resolver enforcement +
host-match bypass) and two in http_policy.rs (HTTP-layer deferral).
Updates the module doc to reflect the closed gaps.

Author: GamePad64

act-cli/src/runtime/http_client.rs

@@ -19,50 +19,95 @@ use wasmtime_wasi_http::p2::bindings::http::types::ErrorCode as P2ErrorCode;
 use wasmtime_wasi_http::p2::body::HyperIncomingBody;
 use wasmtime_wasi_http::p3::bindings::http::types::ErrorCode as P3ErrorCode;
 
-use crate::config::HttpConfig;
+use crate::config::{HttpConfig, PolicyMode};
 use crate::runtime::network::{self, NetworkRule};
 
-/// reqwest DNS resolver that filters resolved addresses against deny-CIDR
-/// rules. Drops every resolved `SocketAddr` whose IP matches any deny CIDR
-/// (respecting `except_ports`). If no addresses survive, returns an empty
-/// iterator — reqwest surfaces this as a DNS error, which our
-/// `reqwest_to_p2_error` / `reqwest_to_p3_error` maps to the appropriate
-/// wasi:http error variant.
+/// reqwest DNS resolver that filters resolved addresses against both deny
+/// and allow CIDR rules.
+///
+/// Logic per resolved `SocketAddr`:
+/// 1. Drop if any deny-CIDR matches (respecting `except_ports`).
+/// 2. In `Allowlist` mode, if any allow rule carries a `cidr`, the IP must
+///    be covered by either a host-anchored allow (meaning the hostname
+///    itself was allowed, so every resolved IP is OK) or an allow-CIDR.
+///    This closes the prior asymmetry where `allow = [{ cidr = "..." }]`
+///    required an IP-literal URI.
+/// 3. `Open` / `Deny` modes: no allow-side filter here (`Deny` never
+///    reaches the resolver; `Open` still honors deny-CIDR as a safety
+///    net).
+///
+/// If no addresses survive, returns an empty iterator — reqwest surfaces
+/// this as a DNS error, which our `reqwest_to_p2_error` /
+/// `reqwest_to_p3_error` maps to `ErrorCode::DnsError`.
 struct PolicyDnsResolver {
+    allow_nets: Arc<Vec<NetworkRule>>,
     deny_nets: Arc<Vec<NetworkRule>>,
+    mode: PolicyMode,
 }
 
 impl PolicyDnsResolver {
     fn new(cfg: &HttpConfig) -> Self {
+        let allow_nets = cfg.allow.iter().map(|r| r.net.clone()).collect();
         let deny_nets = cfg.deny.iter().map(|r| r.net.clone()).collect();
         Self {
+            allow_nets: Arc::new(allow_nets),
             deny_nets: Arc::new(deny_nets),
+            mode: cfg.mode,
         }
     }
 }
 
 impl Resolve for PolicyDnsResolver {
     fn resolve(&self, name: Name) -> Resolving {
+        let allow = self.allow_nets.clone();
         let deny = self.deny_nets.clone();
+        let mode = self.mode;
         Box::pin(async move {
             let host = name.as_str().to_string();
             let addrs = tokio::net::lookup_host(format!("{host}:0"))
                 .await
                 .map_err(|e| Box::new(e) as Box<dyn std::error::Error + Send + Sync>)?;
             let all: Vec<SocketAddr> = addrs.collect();
             let total = all.len();
+
+            // If the hostname itself matches any host-anchored allow rule,
+            // we don't need to require per-IP CIDR matches — the guest is
+            // already allowed to talk to this host. Compute once.
+            let host_allowed = allow.iter().any(|r| {
+                r.host
+                    .as_deref()
+                    .is_some_and(|pat| network::host_matches(pat, &host))
+            });
+            let require_allow_cidr = mode == PolicyMode::Allowlist
+                && !host_allowed
+                && allow.iter().any(|r| r.cidr.is_some());
+
             let filtered: Vec<SocketAddr> = all
                 .into_iter()
-                .filter(|addr| !network::any_deny_cidr_matches(&deny, addr.ip(), addr.port()))
+                .filter(|addr| {
+                    if network::any_deny_cidr_matches(&deny, addr.ip(), addr.port()) {
+                        return false;
+                    }
+                    if require_allow_cidr {
+                        return allow.iter().any(|r| {
+                            r.cidr
+                                .as_deref()
+                                .is_some_and(|c| network::cidr_contains(c, addr.ip()))
+                        });
+                    }
+                    true
+                })
                 .collect();
             tracing::debug!(
                 %host,
                 resolved = total,
                 kept = filtered.len(),
+                require_allow_cidr,
+                host_allowed,
                 "http policy dns resolve",
             );
             if filtered.is_empty() {
-                return Err("all resolved addresses matched a deny CIDR".into());
+                return Err("all resolved addresses filtered by policy CIDR rules".into());
             }
             let iter: Addrs = Box::new(filtered.into_iter());
             Ok(iter)
@@ -712,4 +757,100 @@ mod tests {
             "expected DnsError or ConnectionRefused, got {err:?}"
         );
     }
+
+    #[tokio::test(flavor = "current_thread")]
+    async fn dns_resolver_requires_allow_cidr_match_for_hostnames() {
+        // mode=Allowlist with only an allow-CIDR rule. Any URI whose
+        // resolved IPs land outside that CIDR must fail at DNS level.
+        use crate::config::{HttpConfig, HttpRule, PolicyMode};
+        use crate::runtime::network::NetworkRule;
+
+        let cfg = HttpConfig {
+            mode: PolicyMode::Allowlist,
+            // Only permit internal RFC1918 space — example.com is public.
+            allow: vec![HttpRule {
+                net: NetworkRule {
+                    cidr: Some("10.0.0.0/8".into()),
+                    ..Default::default()
+                },
+                ..Default::default()
+            }],
+            deny: vec![],
+            ..Default::default()
+        };
+        let client = ActHttpClient::new(cfg).expect("client builds");
+        let body: UnsyncBoxBody<bytes::Bytes, P2ErrorCode> = Empty::<bytes::Bytes>::new()
+            .map_err(|_| unreachable!())
+            .boxed_unsync();
+        let hyper_req = hyper::Request::builder()
+            .method(Method::GET)
+            .uri("https://example.com/")
+            .body(body)
+            .unwrap();
+        let config = wasmtime_wasi_http::p2::types::OutgoingRequestConfig {
+            use_tls: true,
+            connect_timeout: std::time::Duration::from_secs(5),
+            first_byte_timeout: std::time::Duration::from_secs(5),
+            between_bytes_timeout: std::time::Duration::from_secs(5),
+        };
+        let err = client
+            .send_p2(hyper_req, config)
+            .await
+            .expect_err("example.com IPs not in 10/8, must fail at DNS");
+        assert!(
+            matches!(err, P2ErrorCode::DnsError(_)),
+            "expected DnsError, got {err:?}"
+        );
+    }
+
+    #[tokio::test(flavor = "current_thread")]
+    async fn dns_resolver_host_match_bypasses_allow_cidr() {
+        // mode=Allowlist with BOTH a host-allow AND an allow-CIDR. A
+        // request to the allowed host should succeed even if its IPs
+        // don't fall in the CIDR — the host match approves all IPs.
+        use crate::config::{HttpConfig, HttpRule, PolicyMode};
+        use crate::runtime::network::NetworkRule;
+
+        let cfg = HttpConfig {
+            mode: PolicyMode::Allowlist,
+            allow: vec![
+                HttpRule {
+                    net: NetworkRule {
+                        host: Some("example.com".into()),
+                        ..Default::default()
+                    },
+                    ..Default::default()
+                },
+                HttpRule {
+                    net: NetworkRule {
+                        cidr: Some("10.0.0.0/8".into()),
+                        ..Default::default()
+                    },
+                    ..Default::default()
+                },
+            ],
+            deny: vec![],
+            ..Default::default()
+        };
+        let client = ActHttpClient::new(cfg).expect("client builds");
+        let body: UnsyncBoxBody<bytes::Bytes, P2ErrorCode> = Empty::<bytes::Bytes>::new()
+            .map_err(|_| unreachable!())
+            .boxed_unsync();
+        let hyper_req = hyper::Request::builder()
+            .method(Method::GET)
+            .uri("https://example.com/")
+            .body(body)
+            .unwrap();
+        let config = wasmtime_wasi_http::p2::types::OutgoingRequestConfig {
+            use_tls: true,
+            connect_timeout: std::time::Duration::from_secs(10),
+            first_byte_timeout: std::time::Duration::from_secs(10),
+            between_bytes_timeout: std::time::Duration::from_secs(10),
+        };
+        let incoming = client
+            .send_p2(hyper_req, config)
+            .await
+            .expect("example.com allowed via host rule");
+        assert_eq!(incoming.resp.status().as_u16(), 200);
+    }
 }

act-cli/src/runtime/http_policy.rs

@@ -10,21 +10,16 @@
 //! - Host matching: literal host, exact match or `*.suffix` wildcard.
 //! - Scheme / methods / ports matching.
 //! - IP literals in URI: matched against `cidr` entries at HTTP-layer.
-//! - **DNS-resolved IPs against deny CIDRs**: checked in a pre-flight
-//!   `lookup_host` before the default handler runs. Catches
-//!   SSRF-by-name ("fetch internal.example.com" where it resolves to a
-//!   10.x host). This is a second DNS lookup per request (the default
-//!   handler does its own `TcpStream::connect(authority)` which resolves
-//!   again); the OS resolver cache usually makes the second lookup a
-//!   no-op. There's a narrow TOCTOU window where a racing resolver
-//!   could return a different IP between our check and the handler's
-//!   connect — full DNS-rebinding defence requires forking the default
-//!   handler to accept a pre-resolved `SocketAddr`, which is deferred.
-//! - Allow-CIDR rules against DNS-resolved IPs: NOT IMPLEMENTED. Allow
-//!   CIDRs still require an IP literal in the URI. Deny CIDRs are the
-//!   security-critical direction.
-//! - Redirect re-decision: deferred (wasi-http follows redirects inside
-//!   `default_send_request`; we'd need to disable that and resubmit).
+//! - **DNS-resolved IPs against both allow and deny CIDRs**: enforced in
+//!   the reqwest `PolicyDnsResolver` hook (`runtime::http_client`). The
+//!   resolver runs once per request, filters denied IPs, and in
+//!   `Allowlist` mode additionally requires allow-CIDR coverage when the
+//!   hostname doesn't match any host-anchored allow rule. Named-host URIs
+//!   with only allow-CIDR rules defer their verdict from the HTTP layer
+//!   to the resolver. The single resolve pins the addresses for the
+//!   subsequent connect, closing the DNS-rebinding window.
+//! - Redirect re-decision: each hop re-evaluated via `reqwest::redirect`
+//!   hook (see `http_client::build_redirect_policy`).
 
 use std::sync::Arc;
 
@@ -57,6 +52,12 @@ impl PolicyHttpHooks {
     /// Decide an HTTP request against the config. Scheme / method checks are
     /// HTTP-layer; the host / port / CIDR parts are delegated to
     /// `runtime::network::decide`.
+    ///
+    /// For name-host URIs (non-IP-literal), when no allow rule matches but
+    /// there's at least one allow rule with a `cidr` field, return `Allow`
+    /// and defer the per-IP check to `PolicyDnsResolver`. This is how
+    /// `allow = [{ cidr = "..." }]` rules take effect against hostnames —
+    /// the HTTP layer doesn't know the resolved IPs yet.
     fn decide_uri(&self, method: Option<&str>, uri: &Uri) -> Decision {
         match self.config.mode {
             PolicyMode::Deny => return Decision::Deny,
@@ -65,6 +66,7 @@ impl PolicyHttpHooks {
         }
 
         let host = uri.host().unwrap_or("");
+        let host_is_ip_literal = host.parse::<std::net::IpAddr>().is_ok();
         let scheme = uri.scheme_str();
         let port = uri
             .port_u16()
@@ -85,10 +87,14 @@ impl PolicyHttpHooks {
             .iter()
             .any(|r| http_rule_matches(r, scheme, method, &check))
         {
-            Decision::Allow
-        } else {
-            Decision::Deny
+            return Decision::Allow;
         }
+        if !host_is_ip_literal && self.config.allow.iter().any(|r| r.net.cidr.is_some()) {
+            // Defer to DNS resolver: it will drop resolved IPs that don't
+            // match any allow-CIDR (see `PolicyDnsResolver`).
+            return Decision::Allow;
+        }
+        Decision::Deny
     }
 }
 
@@ -384,4 +390,47 @@ mod tests {
             Decision::Deny
         );
     }
+
+    #[test]
+    fn allow_cidr_defers_named_host_to_dns() {
+        // mode=Allowlist with only an allow-CIDR rule. Hostname URIs must
+        // reach the DNS resolver (return Allow at HTTP layer); the
+        // resolver will drop IPs not in the CIDR. IP-literal URIs still
+        // get fully checked at HTTP layer.
+        let h = hooks(HttpConfig {
+            mode: PolicyMode::Allowlist,
+            allow: vec![rule(None, None, None, Some("10.0.0.0/8"), None)],
+            ..Default::default()
+        });
+
+        // Name host: defer to DNS → Allow at HTTP layer.
+        assert_eq!(
+            h.decide_uri(Some("GET"), &uri("https://internal.corp/")),
+            Decision::Allow
+        );
+        // IP literal in allowed CIDR: Allow.
+        assert_eq!(
+            h.decide_uri(Some("GET"), &uri("http://10.1.2.3/")),
+            Decision::Allow
+        );
+        // IP literal outside CIDR: Deny (no DNS deferral for literals).
+        assert_eq!(
+            h.decide_uri(Some("GET"), &uri("http://8.8.8.8/")),
+            Decision::Deny
+        );
+    }
+
+    #[test]
+    fn allow_cidr_does_not_defer_without_cidr_rule() {
+        // No allow-CIDR rules → HTTP layer decides purely on host.
+        let h = hooks(HttpConfig {
+            mode: PolicyMode::Allowlist,
+            allow: vec![rule(Some("example.com"), None, None, None, None)],
+            ..Default::default()
+        });
+        assert_eq!(
+            h.decide_uri(Some("GET"), &uri("https://other.com/")),
+            Decision::Deny
+        );
+    }
 }