Incorporate existing SNI into allow/ignore decision, fix #5064 (#7002)

* incorporate existing SNI into allow/ignore decision, fix #5064 * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2024-11-26 23:00:40 +00:00 · 2024-07-06 00:19:55 +02:00 · 2024-07-06 00:19:55 +02:00 · 5353df5f1e
commit 5353df5f1e
parent 7fdf111feb
4 changed files with 29 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,8 @@
  ([#6935](https://github.com/mitmproxy/mitmproxy/pull/6935), @errorxyz)
 * Fix non-linear growth in processing time for large HTTP bodies.
  ([#6952](https://github.com/mitmproxy/mitmproxy/pull/6952), @jackfromeast)
+* Fix a bug where connections would be incorrectly ignored with `allow_hosts`
+  ([#7002](https://github.com/mitmproxy/mitmproxy/pull/7002), @JarLob, @mhils)
 * Fix zstd decompression to read across frames.
  ([#6921](https://github.com/mitmproxy/mitmproxy/pull/6921), @zendai)
 * Add `HttpConnectedHook` and `HttpConnectErrorHook`.
--- a/mitmproxy/addons/next_layer.py
+++ b/mitmproxy/addons/next_layer.py
@ -225,6 +225,9 @@ class NextLayer:
                client_hello := self._get_client_hello(context, data_client)
            ) and client_hello.sni:
                hostnames.append(f"{client_hello.sni}:{port}")
+            if context.client.sni:
+                # Hostname may be allowed, TLS is already established, and we have another next layer decision.
+                hostnames.append(f"{context.client.sni}:{port}")

        if not hostnames:
            return False
--- a/test/helper_tools/loggrep.py
+++ b/test/helper_tools/loggrep.py
@ -11,7 +11,7 @@ if __name__ == "__main__":
    port = sys.argv[1]
    matches = False
    for line in fileinput.input(sys.argv[2:]):
-        if re.match(r"^\[|(\d+\.){3}", line):
+        if re.search(r"^\[|(\d+\.){3}", line):
            matches = port in line
        if matches:
            print(line, end="")
--- a/test/mitmproxy/addons/test_next_layer.py
+++ b/test/mitmproxy/addons/test_next_layer.py
@ -283,6 +283,24 @@ class TestNextLayer:
                True,
                id="allow: ignore",
            ),
+            pytest.param(
+                [],
+                ["example.com"],
+                "tcp",
+                "192.0.2.1",
+                client_hello_with_extensions,
+                False,
+                id="allow: sni",
+            ),
+            pytest.param(
+                [],
+                ["existing-sni.example"],
+                "tcp",
+                "192.0.2.1",
+                b"",
+                False,
+                id="allow: sni from parent layer",
+            ),
            pytest.param(
                [],
                ["example.com"],
@ -329,7 +347,11 @@ class TestNextLayer:
            if allow:
                tctx.configure(nl, allow_hosts=allow)
            ctx = Context(
-                Client(peername=("192.168.0.42", 51234), sockname=("0.0.0.0", 8080)),
+                Client(
+                    peername=("192.168.0.42", 51234),
+                    sockname=("0.0.0.0", 8080),
+                    sni="existing-sni.example",
+                ),
                tctx.options,
            )
            ctx.client.transport_protocol = transport_protocol