diff --git a/README.md b/README.md index 67ef4e3f..44a21eb7 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ httpjail --request-log requests.log --js "true" -- npm install # Log format: " <+/-> " (+ = allowed, - = blocked) # Use custom script for request evaluation -httpjail --script /path/to/check.sh -- ./my-app +httpjail --sh /path/to/check.sh -- ./my-app # Script receives: HTTPJAIL_URL, HTTPJAIL_METHOD, HTTPJAIL_HOST, HTTPJAIL_SCHEME, HTTPJAIL_PATH # Exit 0 to allow, non-zero to block. stdout becomes additional context in 403 response. @@ -170,26 +170,21 @@ Instead of writing JavaScript, you can use a custom script to evaluate each requ ```bash # Simple script example -cat > check_request.sh << 'EOF' #!/bin/bash -# Allow only GitHub and reject everything else -if [[ "$HTTPJAIL_HOST" == "github.com" ]]; then - exit 0 +if [ "$HTTPJAIL_HOST" = "github.com" ] && [ "$HTTPJAIL_METHOD" = "GET" ]; then + exit 0 # Allow the request else - echo "Access denied: $HTTPJAIL_HOST is not on the allowlist" - exit 1 + exit 1 # Block the request fi -EOF -chmod +x check_request.sh # Use the script -httpjail --script ./check_request.sh -- curl https://github.com +httpjail --sh ./check_request.sh -- curl https://github.com # Inline script (with spaces, executed via shell) -httpjail --script '[ "$HTTPJAIL_HOST" = "github.com" ] && exit 0 || exit 1' -- git pull +httpjail --sh '[ "$HTTPJAIL_HOST" = "github.com" ] && exit 0 || exit 1' -- git pull ``` -If `--script` has spaces, it's run through `$SHELL` (default `/bin/sh`); otherwise it's executed directly. +If `--sh` has spaces, it's run through `sh`; otherwise it's executed directly. **Environment variables provided to the script:** @@ -259,7 +254,7 @@ All request information is available via the `r` object: - JavaScript evaluation is generally faster than external script execution > [!NOTE] -> The `--js` flag conflicts with `--script` and `--js-file`. Only one evaluation method can be used at a time. +> The `--js` flag conflicts with `--sh` and `--js-file`. Only one evaluation method can be used at a time. ### Advanced Options diff --git a/src/main.rs b/src/main.rs index bb3fa827..f139ad12 100644 --- a/src/main.rs +++ b/src/main.rs @@ -22,8 +22,8 @@ struct Args { /// HTTPJAIL_URL, HTTPJAIL_METHOD, HTTPJAIL_HOST, HTTPJAIL_SCHEME, HTTPJAIL_PATH /// Exit code 0 allows the request, non-zero blocks it /// stdout becomes additional context in the 403 response - #[arg(short = 's', long = "script", value_name = "PROG")] - script: Option, + #[arg(long = "sh", value_name = "PROG")] + sh: Option, /// Use JavaScript (V8) for evaluating requests /// The JavaScript code receives global variables: @@ -33,7 +33,7 @@ struct Args { #[arg( long = "js", value_name = "CODE", - conflicts_with = "script", + conflicts_with = "sh", conflicts_with = "js_file" )] js: Option, @@ -43,7 +43,7 @@ struct Args { #[arg( long = "js-file", value_name = "FILE", - conflicts_with = "script", + conflicts_with = "sh", conflicts_with = "js" )] js_file: Option, @@ -298,7 +298,7 @@ async fn main() -> Result<()> { None }; - let rule_engine = if let Some(script) = &args.script { + let rule_engine = if let Some(script) = &args.sh { info!("Using script-based rule evaluation: {}", script); let script_engine = Box::new(ScriptRuleEngine::new(script.clone())); RuleEngine::from_trait(script_engine, request_log) diff --git a/src/rules/script.rs b/src/rules/script.rs index adb4323f..a588a89e 100644 --- a/src/rules/script.rs +++ b/src/rules/script.rs @@ -35,8 +35,7 @@ impl ScriptRuleEngine { // Build the command let mut cmd = if self.script.contains(' ') { - let shell = std::env::var("SHELL").unwrap_or_else(|_| "/bin/sh".to_string()); - let mut cmd = tokio::process::Command::new(&shell); + let mut cmd = tokio::process::Command::new("sh"); cmd.arg("-c").arg(&self.script); cmd } else {