Skip to content

feat: make allow-domains optional (blocks all traffic when not specified)#80

Closed
Copilot wants to merge 7 commits intomainfrom
copilot/make-allow-domains-optional
Closed

feat: make allow-domains optional (blocks all traffic when not specified)#80
Copilot wants to merge 7 commits intomainfrom
copilot/make-allow-domains-optional

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 2, 2025
edited
Loading

Makes the --allow-domains argument optional. When no domains are specified, all outbound traffic is blocked by default for security.

Changes Made

CLI (src/cli.ts)

  • Removed requirement for at least one domain to be specified
  • Added warnings when no domains specified: 
    ⚠️  WARNING: No domains specified - all outbound traffic will be BLOCKED
    Use --allow-domains or --allow-domains-file to allow specific domains
  • Domain validation is conditional (only runs when domains are provided)
  • Log message updated: Allowed domains: (none specified - all traffic blocked)

Squid Config Generator (src/squid-config.ts)

  • Handles empty domains array by generating "deny all" rule
  • When domains array is empty: blocks all outbound traffic
  • When domains are specified: supports plain domains and wildcard patterns using dstdomain and dstdom_regex ACLs

Tests (src/squid-config.test.ts)

  • Added "Empty Domains (Block All)" test suite
  • Validates that empty domains array results in traffic being blocked
  • All 350 tests passing

Behavior

  • With domains specified: Traffic restricted to allowed domains (supports wildcards like *.github.com)
  • Without domains specified: All outbound traffic is blocked (secure by default)

Integration with Main Branch

Merged latest changes from main (v0.6.0):

  • Wildcard domain support (*.github.com, api-*.example.com)
  • DNS server restrictions via --dns-servers flag
  • Log management features
  • Domain pattern validation via validateDomainOrPattern()

Testing

  • ✅ All 350 tests passing
  • ✅ Build successful
  • ✅ Linting passes
  • ✅ CodeQL security scan (no issues)
  • ✅ Manual verification of blocking behavior when no domains specified

Example

# Without domains - blocks all traffic
awf -- curl https://anywhere.com  # Blocked with warnings

# With domains - allows specified domains
awf --allow-domains github.com -- curl https://api.github.com  # Allowed

# With wildcards
awf --allow-domains "*.github.com,api-*.example.com" -- curl https://api.github.com  # Allowed
Original prompt

make allow-domains a not required argument

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits December 2, 2025 01:27
@Mossaka
feat: make allow-domains argument optional
91e1fd1 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
docs: improve security warning messages for no domains
d3e4731 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
fix: improve grammar in warning messages
10b7804 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Make allow-domains argument optional feat: make allow-domains optional Dec 2, 2025
Copilot AI requested a review from Mossaka December 2, 2025 01:35
@Mossaka Mossaka marked this pull request as ready for review December 2, 2025 23:59
@Mossaka
Copy link
Copy Markdown
Collaborator

Mossaka commented Dec 3, 2025

@copilot pull the latest from main branch and commit and push

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Dec 3, 2025

Test Coverage Report

Metric Coverage Covered/Total
Lines 49.01% 275/561
Statements 48.78% 280/574
Functions 54.83% 34/62
Branches 41.43% 75/181
Coverage Thresholds

The project has the following coverage thresholds configured:

  • Lines: 38%
  • Statements: 38%
  • Functions: 35%
  • Branches: 30%

Coverage report generated by `npm run test:coverage`

Mossaka
Mossaka requested changes Dec 3, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Mossaka Mossaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please address all the comments

src/cli.ts Outdated
if (allowedDomains.length > 0) {
logger.info(`Allowed domains: ${allowedDomains.join(', ')}`);
} else {
logger.info('Allowed domains: (all domains allowed)');
Copy link
Copy Markdown
Collaborator

@Mossaka Mossaka Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be "all domains are not allowed?"

Copy link
Copy Markdown
Contributor Author

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in commit 0305e94. Changed the message from "(all domains allowed)" to "(none specified - all traffic allowed)" to make it clearer that when no domains are specified, the firewall allows all traffic (no filtering is applied).

Copy link
Copy Markdown
Collaborator

@Mossaka Mossaka Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot I thought when no domains are specified, then everything should be blocked, that's not the case?

Copy link
Copy Markdown
Contributor Author

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right to question this! The current implementation allows all traffic when no domains are specified (with warnings).

However, blocking all traffic when no domains are specified would be more secure. The original requirement said "make allow-domains optional" which I interpreted as allowing the tool to run without domains, but I can change it to block everything instead.

Which behavior would you prefer?

  1. Current (permissive): No domains = allow all traffic with warnings
  2. Secure (restrictive): No domains = block all traffic

If you want option 2, I'll update the code to block all traffic when no domains are specified.

Copy link
Copy Markdown
Collaborator

@Mossaka Mossaka Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want option 2 @copilot

Copy link
Copy Markdown
Contributor Author

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented option 2 in commit 7532d22! When no domains are specified, all outbound traffic is now BLOCKED.

The changes include:

  • Warning message: "⚠️ WARNING: No domains specified - all outbound traffic will be BLOCKED"
  • Log message: "Allowed domains: (none specified - all traffic blocked)"
  • Squid config: Generates "deny all" rule when domains array is empty
  • Tests updated to verify blocking behavior

All 350 tests passing.

@Mossaka
chore: merge latest changes from main branch
651576e 
Integrates wildcard domain support and DNS server restrictions from main
with the optional domains feature. Resolves merge conflicts by combining
both features - domains are now optional, and when specified, support
wildcards like *.github.com and api-*.example.com.

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Dec 3, 2025

@copilot pull the latest from main branch and commit and push

Done! Merged latest changes from main branch in commit 651576e.

The merge integrates:

  • Wildcard domain support (.github.com, api-.example.com)
  • DNS server restrictions
  • Our optional domains feature

All 259 tests passing. The optional domains feature now works with wildcards - when domains are specified, they're validated for wildcard patterns, and when no domains are specified, all traffic is allowed with security warnings.

Copilot AI requested a review from Mossaka December 3, 2025 00:12
@Mossaka
fix: clarify log message for empty domains
0305e94 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Dec 3, 2025

@copilot please address all the comments

Addressed the code review comment in commit 0305e94. The log message at line 520 now reads "(none specified - all traffic allowed)" to clarify that when no domains are provided, all traffic is allowed.

@Mossaka
chore: merge main and change behavior to block all when no domains
7532d22 
- Merged latest changes from main branch (v0.6.0) including log management features
- Changed behavior: when no domains specified, all traffic is now BLOCKED (option 2)
- Updated warning messages to reflect blocking behavior
- Updated tests to match new blocking behavior
- All 350 tests passing

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Dec 4, 2025

@copilot pull the latest from main branch and commit and push

Done in commit 7532d22! Merged latest from main branch (v0.6.0) which includes log management features and other improvements.

Copilot AI changed the title feat: make allow-domains optional feat: make allow-domains optional (blocks all traffic when not specified) Dec 4, 2025
@Mossaka Mossaka closed this Dec 4, 2025
@github-actions github-actions bot mentioned this pull request Apr 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka