hyperlight-sandbox/src/wasm_sandbox/examples/python_network_demo.rs at main · hyperlight-dev/hyperlight-sandbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
//! Network access demo — tests network allow/deny for the Python Wasm sandbox.

use std::path::Path;

use hyperlight_sandbox::SandboxBuilder;
use hyperlight_wasm_sandbox::Wasm;

fn python_guest_path() -> String {
    Path::new(env!("CARGO_MANIFEST_DIR"))
        .join("guests/python/python-sandbox.aot")
        .display()
        .to_string()
}

fn separator(title: &str) {
    println!("\n{}", "═".repeat(60));
    println!("{title}");
    println!("{}", "═".repeat(60));
}

fn main() {
    let mut sandbox = SandboxBuilder::new()
        .guest(Wasm)
        .module_path(python_guest_path())
        .build()
        .expect("failed to create sandbox");
    sandbox
        .allow_domain(
            "https://httpbin.org",
            vec![hyperlight_sandbox::HttpMethod::Get],
        )
        .unwrap();

    separator("Test 1: Network access denied without permissions");
    let result = sandbox
        .run(
            r#"
try:
    resp = http_get("https://notallowed.example")
    print(f"Got response: {resp['status']}")
except Exception as e:
    print(f"Network blocked: {type(e).__name__}: {e}")
    print("  (notallowed.example is not in the allowlist — correct!)")
"#,
        )
        .expect("test 1 failed");
    print!("{}", result.stdout);
    assert!(
        result.stdout.contains("Network blocked"),
        "test 1: expected network access to be blocked"
    );

    separator("Test 2: Network access to allowed domain (WASI-HTTP)");
    let result = sandbox
        .run(
            r#"
resp = http_get("https://httpbin.org/get")
print(f"HTTP status: {resp['status']}")
print(f"Response body (first 200 chars):")
print(resp['body'][:200])
"#,
        )
        .expect("test 2 failed");
    print!("{}", result.stdout);
    assert_eq!(
        result.exit_code,
        0,
        "test 2: network access to allowed domain failed\nstderr: {}",
        &result.stderr[..result.stderr.len().min(300)]
    );

    separator("Test 3: Method filtering — GET allowed, POST blocked");
    let result = sandbox
        .run(
            r#"
try:
    resp = http_get("https://httpbin.org/get")
    print(f"GET allowed: status {resp['status']}")
except Exception as e:
    print(f"GET failed: {e}")

try:
    resp = http_post("https://httpbin.org/post", body='{"test": 1}')
    print(f"POST allowed: status {resp['status']}")
except Exception as e:
    print(f"POST blocked: {e}")
    print("  (httpbin.org only allows GET — correct!)")
"#,
        )
        .expect("test 3 failed");
    print!("{}", result.stdout);
    assert!(
        result.stdout.contains("POST blocked"),
        "test 3: expected POST to be blocked"
    );

    separator("All tests passed!");
}