From c3f6cde1dac9795ae21d2e63aeaf2b9c06f052ea Mon Sep 17 00:00:00 2001 From: Ammar Bandukwala Date: Wed, 10 Sep 2025 15:06:48 -0500 Subject: [PATCH 1/3] test: remove duplicate rule tests --- README.md | 3 +++ src/main.rs | 62 ++++++++++++++++------------------------------------ src/rules.rs | 10 +++++++++ 3 files changed, 32 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 583623ab..5c00929a 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ cargo install httpjail - 🌐 **HTTP/HTTPS interception** - Transparent proxy with TLS certificate injection - 🎯 **Regex-based filtering** - Flexible allow/deny rules with regex patterns - 📝 **Request logging** - Monitor and log all HTTP/HTTPS requests +- ⛔ **Default deny** - Requests are blocked unless explicitly allowed - 🖥️ **Cross-platform** - Native support for Linux and macOS - ⚡ **Zero configuration** - Works out of the box with sensible defaults @@ -28,6 +29,8 @@ cargo install httpjail ## Quick Start +> By default, httpjail denies all network requests. Add `allow:` rules to permit traffic. + ```bash # Allow only requests to github.com httpjail -r "allow: github\.com" -r "deny: .*" -- claude diff --git a/src/main.rs b/src/main.rs index 3430c057..69c85c09 100644 --- a/src/main.rs +++ b/src/main.rs @@ -193,10 +193,9 @@ fn build_rules(args: &Args) -> Result> { rules.push(parse_rule(rule_str)?); } - // If no rules specified, default to allow all (for testing) + // If no rules specified, the rule engine will deny all requests by default if rules.is_empty() { - info!("No rules specified, defaulting to allow all"); - rules.push(Rule::new(Action::Allow, ".*")?); + info!("No rules specified; unmatched requests will be denied"); } Ok(rules) @@ -512,55 +511,32 @@ mod tests { use hyper::Method; #[test] - fn test_rule_matching() { - let rule = Rule::new(Action::Allow, r"github\.com").unwrap(); - assert!(rule.matches(Method::GET, "https://github.com/user/repo")); - assert!(rule.matches(Method::POST, "http://api.github.com/v3/repos")); - assert!(!rule.matches(Method::GET, "https://gitlab.com/user/repo")); - } + fn test_build_rules_no_rules_default_deny() { + let args = Args { + rules: vec![], + config: None, + log_only: false, + interactive: false, + weak: false, + verbose: 0, + timeout: None, + no_jail_cleanup: false, + cleanup: false, + server: false, + command: vec![], + }; - #[test] - fn test_rule_engine() { - let rules = vec![ - Rule::new(Action::Allow, r"github\.com").unwrap(), - Rule::new(Action::Deny, r"telemetry").unwrap(), - Rule::new(Action::Deny, r".*").unwrap(), - ]; + let rules = build_rules(&args).unwrap(); + assert!(rules.is_empty()); + // Rule engine should deny requests when no rules are specified let engine = RuleEngine::new(rules, false); - - // Test allow rule - assert!(matches!( - engine.evaluate(Method::GET, "https://github.com/api"), - Action::Allow - )); - - // Test deny rule - assert!(matches!( - engine.evaluate(Method::POST, "https://telemetry.example.com"), - Action::Deny - )); - - // Test default deny assert!(matches!( engine.evaluate(Method::GET, "https://example.com"), Action::Deny )); } - #[test] - fn test_log_only_mode() { - let rules = vec![Rule::new(Action::Deny, r".*").unwrap()]; - - let engine = RuleEngine::new(rules, true); - - // In log-only mode, everything should be allowed - assert!(matches!( - engine.evaluate(Method::POST, "https://example.com"), - Action::Allow - )); - } - #[test] fn test_build_rules_from_config_file() { use std::io::Write; diff --git a/src/rules.rs b/src/rules.rs index f3344921..a58bcffe 100644 --- a/src/rules.rs +++ b/src/rules.rs @@ -182,4 +182,14 @@ mod tests { Action::Allow )); } + + #[test] + fn test_default_deny_with_no_rules() { + let engine = RuleEngine::new(vec![], false); + + assert!(matches!( + engine.evaluate(Method::GET, "https://example.com"), + Action::Deny + )); + } } From f871ee40ff6d6c826e61d73e08269b09591a1ee1 Mon Sep 17 00:00:00 2001 From: "blink-so[bot]" Date: Thu, 11 Sep 2025 01:07:04 +0000 Subject: [PATCH 2/3] fix: update tests to new request_log and RuleEngine::new signature - replace obsolete log_only field with request_log: None in tests - update RuleEngine::new(vec![], false) -> None in rules tests Co-authored-by: ammario <7416144+ammario@users.noreply.github.com> --- src/main.rs | 2 +- src/rules.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index 01454fa1..48295da7 100644 --- a/src/main.rs +++ b/src/main.rs @@ -527,7 +527,7 @@ mod tests { let args = Args { rules: vec![], config: None, - log_only: false, + request_log: None, interactive: false, weak: false, verbose: 0, diff --git a/src/rules.rs b/src/rules.rs index a53da120..fd83cbfd 100644 --- a/src/rules.rs +++ b/src/rules.rs @@ -229,11 +229,11 @@ mod tests { #[test] fn test_default_deny_with_no_rules() { - let engine = RuleEngine::new(vec![], false); + let engine = RuleEngine::new(vec![], None); assert!(matches!( engine.evaluate(Method::GET, "https://example.com"), Action::Deny )); } -} +} \ No newline at end of file From 56361eb84210ba0ebc1be9c9a3035168dd03221e Mon Sep 17 00:00:00 2001 From: "blink-so[bot]" Date: Thu, 11 Sep 2025 01:11:21 +0000 Subject: [PATCH 3/3] chore(fmt): add missing trailing newline in rules.rs Co-authored-by: ammario <7416144+ammario@users.noreply.github.com> --- src/rules.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rules.rs b/src/rules.rs index fd83cbfd..698077a0 100644 --- a/src/rules.rs +++ b/src/rules.rs @@ -236,4 +236,4 @@ mod tests { Action::Deny )); } -} \ No newline at end of file +}