Merge pull request #2104 from lightpanda-io/feat/add-ip-filter

Feat/add ip filter
2026-06-12 01:56:19 -04:00 · 2026-04-10 08:46:06 +02:00
parent 0b6f099f43 9eba3c1463
commit a4617390de
5 changed files with 850 additions and 5 deletions
--- a/src/Config.zig
+++ b/src/Config.zig
@@ -212,6 +212,20 @@ pub fn webBotAuth(self: *const Config) ?WebBotAuthConfig {
    };
 }

+pub fn blockPrivateNetworks(self: *const Config) bool {
+    return switch (self.mode) {
+        inline .serve, .fetch, .mcp => |opts| opts.common.block_private_networks,
+        else => unreachable,
+    };
+}
+
+pub fn blockCidrs(self: *const Config) ?[]const u8 {
+    return switch (self.mode) {
+        inline .serve, .fetch, .mcp => |opts| opts.common.block_cidrs,
+        else => unreachable,
+    };
+}
+
 pub fn maxConnections(self: *const Config) u16 {
    return switch (self.mode) {
        .serve => |opts| opts.cdp_max_connections,
@@ -300,6 +314,9 @@ pub const Common = struct {
    web_bot_auth_key_file: ?[]const u8 = null,
    web_bot_auth_keyid: ?[]const u8 = null,
    web_bot_auth_domain: ?[]const u8 = null,
+
+    block_private_networks: bool = false,
+    block_cidrs: ?[]const u8 = null,
 };

 /// Pre-formatted HTTP headers for reuse across Http and Client.
@@ -362,6 +379,21 @@ pub fn printUsageAndExit(self: *const Config, success: bool) void {
        \\                we make requests towards.
        \\                Defaults to false.
        \\
+        \\--block-private-networks
+        \\                Blocks HTTP requests to private/internal IP addresses
+        \\                after DNS resolution. Useful for sandboxing, multi-tenant
+        \\                deployments, and preventing access to internal infrastructure
+        \\                regardless of what triggers the request (JavaScript, HTML
+        \\                resources, redirects, etc.).
+        \\                Defaults to false.
+        \\
+        \\--block-cidrs
+        \\                Additional CIDR ranges to block, comma-separated.
+        \\                Prefix with '-' to allow (exempt from blocking).
+        \\                e.g. --block-cidrs 169.254.169.254/32,fd00:ec2::254/128
+        \\                e.g. --block-cidrs 10.0.0.0/8,-10.0.0.42/32
+        \\                Can be used standalone or combined with --block-private-networks.
+        \\
        \\--http-proxy    The HTTP proxy to use for all HTTP requests.
        \\                A username:password can be included for basic authentication.
        \\                Defaults to none.
@@ -1145,5 +1177,19 @@ fn parseCommonArg(
        return true;
    }

+    if (std.mem.eql(u8, "--block-private-networks", opt)) {
+        common.block_private_networks = true;
+        return true;
+    }
+
+    if (std.mem.eql(u8, "--block-cidrs", opt)) {
+        const str = args.next() orelse {
+            log.fatal(.app, "missing argument value", .{ .arg = "--block-cidrs" });
+            return error.InvalidArgument;
+        };
+        common.block_cidrs = try allocator.dupe(u8, str);
+        return true;
+    }
+
    return false;
 }