containers: Make sure that we only persist when we call methods like allow/deny Host

gabivlj · gabivlj · commit 435c1c039847 · 2026-04-07T14:30:21.000-05:00
diff --git a/src/lib/container.ts b/src/lib/container.ts
@@ -505,8 +505,8 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
       ctor.outboundByHost !== undefined ||
       ctor.outbound !== undefined ||
       ctor.outboundHandlers !== undefined ||
-      this.allowedHosts.length > 0 ||
-      this.deniedHosts.length > 0
+      this.effectiveAllowedHosts.length > 0 ||
+      this.effectiveDeniedHosts.length > 0
     ) {
       this.usingInterception = true;
       this.applyOutboundInterceptionPromise = this.applyOutboundInterception();
@@ -638,7 +638,7 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
    * @param hosts - Array of hostnames to allow (e.g. `['api.stripe.com', 'example.com']`)
    */
   async setAllowedHosts(hosts: string[]): Promise<void> {
-    this.allowedHosts = [...hosts];
+    this.allowedHostsOverride = [...hosts];
     this.usingInterception = true;
     await this.refreshOutboundInterception();
   }
@@ -651,7 +651,7 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
    * @param hosts - Array of hostnames to deny (e.g. `['evil.com', 'blocked.org']`)
    */
   async setDeniedHosts(hosts: string[]): Promise<void> {
-    this.deniedHosts = [...hosts];
+    this.deniedHostsOverride = [...hosts];
     this.usingInterception = true;
     await this.refreshOutboundInterception();
   }
@@ -662,8 +662,9 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
    * @param hostname - The hostname to allow (e.g. `'api.stripe.com'`)
    */
   async allowHost(hostname: string): Promise<void> {
-    if (!this.allowedHosts.includes(hostname)) {
-      this.allowedHosts = [...this.allowedHosts, hostname];
+    const effective = this.effectiveAllowedHosts;
+    if (!effective.includes(hostname)) {
+      this.allowedHostsOverride = [...effective, hostname];
     }
     this.usingInterception = true;
     await this.refreshOutboundInterception();
@@ -675,8 +676,9 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
    * @param hostname - The hostname to deny (e.g. `'evil.com'`)
    */
   async denyHost(hostname: string): Promise<void> {
-    if (!this.deniedHosts.includes(hostname)) {
-      this.deniedHosts = [...this.deniedHosts, hostname];
+    const effective = this.effectiveDeniedHosts;
+    if (!effective.includes(hostname)) {
+      this.deniedHostsOverride = [...effective, hostname];
     }
     this.usingInterception = true;
     await this.refreshOutboundInterception();
@@ -688,7 +690,7 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
    * @param hostname - The hostname to remove from the allow list
    */
   async removeAllowedHost(hostname: string): Promise<void> {
-    this.allowedHosts = this.allowedHosts.filter(h => h !== hostname);
+    this.allowedHostsOverride = this.effectiveAllowedHosts.filter(h => h !== hostname);
     await this.refreshOutboundInterception();
   }
 
@@ -698,7 +700,7 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
    * @param hostname - The hostname to remove from the deny list
    */
   async removeDeniedHost(hostname: string): Promise<void> {
-    this.deniedHosts = this.deniedHosts.filter(h => h !== hostname);
+    this.deniedHostsOverride = this.effectiveDeniedHosts.filter(h => h !== hostname);
     await this.refreshOutboundInterception();
   }
 
@@ -1301,6 +1303,10 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
   private outboundByHostOverrides: OutboundByHostOverrides = {};
   private outboundHandlerOverride?: OutboundHandlerOverride;
 
+  // Only set when the user calls setAllowedHosts/setDeniedHosts at runtime
+  private allowedHostsOverride?: string[];
+  private deniedHostsOverride?: string[];
+
   // ==========================
   //     GENERAL HELPERS
   // ==========================
@@ -1318,21 +1324,35 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
     }
   }
 
+  private get effectiveAllowedHosts(): string[] {
+    return this.allowedHostsOverride ?? this.allowedHosts;
+  }
+
+  private get effectiveDeniedHosts(): string[] {
+    return this.deniedHostsOverride ?? this.deniedHosts;
+  }
+
   private getOutboundConfiguration(): PersistedOutboundConfiguration {
+    const allowedHosts = this.effectiveAllowedHosts;
+    const deniedHosts = this.effectiveDeniedHosts;
     return {
       enableInternet: this.enableInternet,
       outboundByHostOverrides:
         Object.keys(this.outboundByHostOverrides).length > 0
           ? this.outboundByHostOverrides
           : undefined,
       outboundHandlerOverride: this.outboundHandlerOverride,
-      allowedHosts: this.allowedHosts.length > 0 ? this.allowedHosts : undefined,
-      deniedHosts: this.deniedHosts.length > 0 ? this.deniedHosts : undefined,
+      allowedHosts: allowedHosts.length > 0 ? allowedHosts : undefined,
+      deniedHosts: deniedHosts.length > 0 ? deniedHosts : undefined,
     };
   }
 
   private persistOutboundConfiguration(configuration: PersistedOutboundConfiguration): void {
-    this.ctx.storage.kv.put(OUTBOUND_CONFIGURATION_KEY, configuration);
+    this.ctx.storage.kv.put(OUTBOUND_CONFIGURATION_KEY, {
+      ...configuration,
+      allowedHosts: this.allowedHostsOverride,
+      deniedHosts: this.deniedHostsOverride,
+    });
   }
 
   private restoreOutboundConfiguration(): PersistedOutboundConfiguration | undefined {
@@ -1371,11 +1391,11 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
     }
 
     if (configuration.allowedHosts) {
-      this.allowedHosts = configuration.allowedHosts;
+      this.allowedHostsOverride = configuration.allowedHosts;
     }
 
     if (configuration.deniedHosts) {
-      this.deniedHosts = configuration.deniedHosts;
+      this.deniedHostsOverride = configuration.deniedHosts;
     }
 
     return this.getOutboundConfiguration();
@@ -1414,11 +1434,11 @@ export class Container<Env = Cloudflare.Env> extends DurableObject<Env> {
       hosts.add(hostname);
     }
 
-    for (const hostname of this.allowedHosts) {
+    for (const hostname of this.effectiveAllowedHosts) {
       hosts.add(hostname);
     }
 
-    for (const hostname of this.deniedHosts) {
+    for (const hostname of this.effectiveDeniedHosts) {
       hosts.add(hostname);
     }
 
