test(sandbox): reject malformed proxy hostnames

[mjamiv]

Summary

• reject malformed CONNECT host authorities before policy/DNS handling
• make OPA network evaluation fail closed for unsafe host strings
• add regression coverage for NUL/control, percent-encoded, slash, and backslash hostname differentials against wildcard policies

Fixes #1498.

Testing

• cargo fmt --all -- --check
• git diff --check
• cargo test -p openshell-sandbox malformed
• cargo test -p openshell-sandbox --lib

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[johntmyers]

Was this moved for a specific reason? This could return a generation that doesn't map to the engine snapshot actually used for policy eval if a policy reload happens between reload and a policy reload. Off chance but non-zero. Can we keep the malformed-host fast deny separate and move generation capture back under the engine lock?

[johntmyers]

@mjamiv one small question but otherwise looking good

[mjamiv]

Addressed the generation-capture review note in bb0875b.\n\nWhat changed:\n- malformed-host fast deny stays before policy evaluation\n- policy-evaluated network actions now capture the generation after acquiring the OPA engine lock again, so the generation maps to the engine snapshot used for eval\n\nValidation passed:\n- cargo test -p openshell-sandbox malformed\n- cargo test -p openshell-sandbox --lib\n- cargo fmt --all -- --check\n- git diff --check

[johntmyers]

gator-agent

PR Review Status

Validation: project-valid because this is a focused sandbox proxy/policy security regression fix linked to review-ready issue #1498.
Head SHA: bb0875b58ea7c159ee999c5654639d67605ee765

Review findings:

• No blocking findings remain. The prior generation-capture review note is addressed for evaluated policy actions.

Docs: no Fern docs change required; this is fail-closed validation for malformed unsafe host input, and maintainer-authored issue #1498 records no docs impact expected for this internal regression/security coverage.

Tests: test:e2e applied because the change affects network proxy behavior and policy enforcement.

Next state: gator:watch-pipeline

/ok to test bb0875b

[github-actions]

Label test:e2e applied, but pull-request/1562 is at {"messa while the PR head is bb0875b. A maintainer needs to comment /ok to test bb0875b58ea7c159ee999c5654639d67605ee765 to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

[johntmyers]

gator-agent

/ok to test bb0875b

[johntmyers]

/ok to test bb0875b

[johntmyers]

gator-agent

Follow-Up Needed

I cannot move this PR past pipeline watch yet because OpenShell / Branch Checks failed in the mise Lockfile job: mise.lock is out of sync with mise.toml.

The PR only changes crates/openshell-sandbox/src/opa.rs and crates/openshell-sandbox/src/proxy.rs, but the branch is currently 39 commits behind main; mise.toml matches main while mise.lock does not. Please update or rebase the PR branch onto current main so the current lockfile is included, then push the updated branch. If the original submitter or a maintainer does not respond within 48 business hours, this may be closed as not planned. Weekend hours do not count toward the TTL.

I will keep watching the PR after the update.