http_proxy: Add the allowlisting proxy server#59223
Merged
Merged
Conversation
cla-bot
Bot
added
the
cla-signed
zed-community-bot
Bot
added
the
staff
First of a stack adding hostname-allowlisted network access to agent terminal sandboxing. This PR adds a new `http_proxy` crate containing only the allowlist policy types: `HostPattern` (exact hostnames or leading-`*.` subdomain wildcards, with IDN-to-punycode normalization and IP-literal / localhost rejection) and `Allowlist`, plus host-pattern subsumption (`covers`) used later to decide when an already-granted permission covers a new request. Pure, self-contained logic with no callers yet; the upstream-proxy config and the proxy server that enforces these policies land in later PRs. Release Notes: - N/A
Second of the stack. Adds `UpstreamProxy`: parsing of an upstream HTTP proxy from the environment (`HTTPS_PROXY` / `HTTP_PROXY` / `ALL_PROXY` and lowercase forms) with `NO_PROXY` bypass matching delegated to the `proxyvars` crate, basic-auth credentials (kept out of `Debug`/`Display`), and IPv6/default-port normalization. Used by the proxy server in the next PR to chain outbound connections through a corporate proxy when one is configured. Release Notes: - N/A
Final piece of the crate: the in-process HTTP/HTTPS proxy server that enforces an `Allowlist`. It speaks HTTP CONNECT for HTTPS tunnels and forward proxying for plain HTTP, vets resolved addresses against loopback/private/link-local ranges to prevent DNS-rebinding past the sandbox, pins each connection to the destination approved for its first request (so later keep-alive requests can't escape the policy decision), optionally chains through the `UpstreamProxy`, and bounds header sizes, connection counts, and connect/handshake waits since its sole client is untrusted model-driven code running inside the editor process. Includes end-to-end tests covering allowed/denied CONNECT and HTTP forward, IP-literal handling, DNS-rebinding denial, and upstream chaining. Still has no callers; wired into the agent terminal sandbox in later PRs. Release Notes: - N/A
rtfeldman
force-pushed
the
http-proxy-upstream
branch
from
bf56eeb to
ab50118
Compare
rtfeldman
force-pushed
the
http-proxy-server
branch
from
1b41511 to
605e8ef
Compare
MartinYe1234
approved these changes
Jun 15, 2026
pull Bot
pushed a commit
to sipsuru/zed-winbuild
that referenced
this pull request
Jun 15, 2026
…dustries#59218) Fourth PR of the stack adding hostname-allowlisted network access to agent terminal sandboxing. Stacked on the `http_proxy` crate PRs (zed-industries#59217, zed-industries#59222, zed-industries#59223) — review/merge those first; this PR's diff is only the sandbox change. Replaces the `allow_network: bool` field on the macOS Seatbelt `SandboxPermissions` with a `NetworkAccess` enum: `None` (block all egress), `All` (the previous `allow_network: true` behavior), and `LocalhostPort(u16)`, which confines a sandboxed command to a single loopback port. The new variant emits a Seatbelt rule permitting outbound TCP only to `localhost:<port>` and isn't constructed yet; it exists to pin sandboxed commands to the in-process network proxy in a later PR. The sole consumer maps its existing boolean to `All`/`None`, so behavior is unchanged. Release Notes: - N/A
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Third of the
http_proxystack. Stacked on #59217 and the upstream-config PR — review/merge those first.Adds the in-process HTTP/HTTPS proxy server that enforces an
Allowlist. It speaks HTTP CONNECT for HTTPS tunnels and forward proxying for plain HTTP, vets resolved addresses against loopback/private/link-local ranges to prevent DNS-rebinding past the sandbox, pins each connection to the destination approved for its first request (so later keep-alive requests can't escape the policy decision), optionally chains through the upstream proxy, and bounds header sizes, connection counts, and connect/handshake waits since its sole client is untrusted model-driven code running inside the editor process. Includes end-to-end tests covering allowed/denied CONNECT and HTTP forward, IP-literal handling, DNS-rebinding denial, and upstream chaining.Still has no callers; wired into the agent terminal sandbox in the remaining PRs of the stack.
Release Notes: