Skip to content

Stronger HTTP Permission Model #227

New issue
New issue
Open
Open
Stronger HTTP Permission Model#227
@crepererum

Description

@crepererum
crepererum
opened on Nov 28, 2025

What

Extend the builtin HTTP permission system by additional checks.

Why

The current interface is rather abstract and allows users to implement many possible checks:

datafusion-udf-wasm/host/src/http.rs

Lines 8 to 20 in 38e195b

/// Validates if an outgoing HTTP interaction is allowed.
///
/// You can implement your own business logic here or use one of the pre-built implementations in [this module](self).
pub trait HttpRequestValidator: fmt::Debug + Send + Sync + 'static {
/// Validate incoming request.
///
/// Return [`Ok`] if the request should be allowed, return [`Err`] otherwise.
fn validate(
&self,
request: &hyper::Request<HyperOutgoingBody>,
use_tls: bool,
) -> Result<(), Rejected>;
}

We also offer two implementations of this interface for the users:

datafusion-udf-wasm/host/src/http.rs

Lines 22 to 24 in 38e195b

/// Reject ALL requests.
#[derive(Debug, Clone, Copy, Default)]
pub struct RejectAllHttpRequests;

datafusion-udf-wasm/host/src/http.rs

Lines 36 to 60 in 38e195b

/// A request matcher.
#[derive(Debug, Clone, Hash, PartialEq, Eq)]
pub struct Matcher {
/// Method.
pub method: Method,
/// Host.
///
/// Requests without a host will be rejected.
pub host: Cow<'static, str>,
/// Port.
///
/// For requests without an explicit port, this defaults to `80` for non-TLS requests and to `443` for TLS requests.
pub port: u16,
}
/// Allow-list requests.
#[derive(Debug, Clone, Default)]
pub struct AllowCertainHttpRequests {
/// Set of all matchers.
///
/// If ANY of them matches, the request will be allowed.
matchers: HashSet<Matcher>,
}

Esp. the 2nd one could be a bit more thorough.

How

Add the following checks:

  • request path prefix: This is in addition to host. That would allow restricting requests to certain APIs on the host.
  • request body size: Limits certain types of DoS attacks.
  • response body size: Prevents possible OOM situations on the host by buffering overlarge responses.
  • rate limit: Prevents DoS.
  • request timeout: Prevent long-running / forever-open HTTP requests (although this is somewhat limited by the UDF lifetime anyways).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions