docs: Fix regex matching security issue in shell whitelist

docs/guide/rule-engines/javascript.md

@@ -88,6 +88,50 @@ r.host === 'api.example.com' && r.path.startsWith('/v1/public/')
 ['GET', 'HEAD', 'OPTIONS'].includes(r.method)
 ```
 
+### Host Whitelist
+
+```javascript
+// Simple host whitelist
+const allowedHosts = [
+  'github.com',
+  'api.github.com',
+  'raw.githubusercontent.com',
+  'codeload.github.com'
+];
+
+allowedHosts.includes(r.host)
+```
+
+### Host + Method Whitelist
+
+```javascript
+// Allow specific methods only for certain hosts
+const rules = [
+  {host: 'api.github.com', methods: ['GET', 'POST']},
+  {host: 'github.com', methods: ['GET']},
+  {host: 'uploads.github.com', methods: ['POST', 'PUT']}
+];
+
+rules.some(rule => 
+  rule.host === r.host && rule.methods.includes(r.method)
+)
+```
+
+### Regexp Matching on Method + URL
+
+```javascript
+// Whitelist patterns for METHOD + URL combinations
+const patterns = [
+  /^GET api\.github\.com\/repos\/.+/,
+  /^POST api\.example\.com\/v[12]\/.*/,
+  /^(GET|HEAD) .*\.cdn\.example\.com\/.*\.(jpg|png|gif)/
+];
+
+// Build request string using host and path for simpler patterns
+const requestString = `${r.method} ${r.host}${r.path}`;
+patterns.some(pattern => pattern.test(requestString))
+```
+
 ## When to Use
 
 Best for:
@@ -97,4 +141,4 @@ Best for:
 
 Avoid for:
 - Stateful processing (use line processor)
-- External integrations (use shell or line processor)
+- External integrations (use shell or line processor)

docs/guide/rule-engines/shell.md

@@ -60,17 +60,41 @@ esac
 
 ### Domain Allowlist
 
+Command:
 ```bash
-#!/bin/sh
-# Check against allowed domains
-ALLOWED="api.github.com api.gitlab.com"
+httpjail --sh "./rules.sh" -- curl https://api.github.com/repos
+```
 
-for domain in $ALLOWED; do
-    [ "$HTTPJAIL_HOST" = "$domain" ] && exit 0
-done
+In `whitelist.txt`:
+```
+api.github.com
+github.com
+raw.githubusercontent.com
+api.gitlab.com
+gitlab.com
+```
 
-echo "Domain not allowed"
-exit 1
+In `rules.sh`:
+```bash
+#!/bin/sh
+# Check if host is in whitelist file
+
+# Read whitelist file (one domain per line)
+WHITELIST_FILE="./whitelist.txt"
+
+# Check if whitelist file exists
+if [ ! -f "$WHITELIST_FILE" ]; then
+    echo "Whitelist file not found: $WHITELIST_FILE"
+    exit 1
+fi
+
+# Check if current host is in the whitelist (exact match)
+if grep -Fxq "$HTTPJAIL_HOST" "$WHITELIST_FILE"; then
+    exit 0  # Allow
+else
+    echo "Host $HTTPJAIL_HOST not in whitelist"
+    exit 1  # Deny
+fi
 ```
 
 ### Method-Based Restrictions
@@ -158,4 +182,4 @@ Avoid for:
 - High-throughput scenarios (use line processor mode)
 - Simple logic (use JavaScript)
 
-For high-throughput scenarios, consider the [Line Processor](./line-processor.md) mode which maintains a single process.
+For high-throughput scenarios, consider the [Line Processor](./line-processor.md) mode which maintains a single process.