Skip to content

test: add --block-domains integration tests #1051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mossaka merged 2 commits into from
Feb 25, 2026
Merged

test: add --block-domains integration tests #1051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eee49f3
test: add --block-domains integration tests
Mossaka Feb 25, 2026
85e27f7
test: verify both blocked domains in multiple-domains test
Mossaka Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions tests/fixtures/awf-runner.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ type ExecaReturnValue = execa.ExecaReturnValue<string>;

export interface AwfOptions {
allowDomains?: string[];
blockDomains?: string[];
keepContainers?: boolean;
logLevel?: 'debug' | 'info' | 'warn' | 'error';
buildLocal?: boolean;
Expand Down Expand Up @@ -52,6 +53,11 @@ export class AwfRunner {
args.push('--allow-domains', options.allowDomains.join(','));
}

// Add block-domains
if (options.blockDomains && options.blockDomains.length > 0) {
args.push('--block-domains', options.blockDomains.join(','));
}

// Add other flags
if (options.keepContainers) {
args.push('--keep-containers');
Expand Down Expand Up @@ -206,6 +212,11 @@ export class AwfRunner {
args.push('--allow-domains', options.allowDomains.join(','));
}

// Add block-domains
if (options.blockDomains && options.blockDomains.length > 0) {
args.push('--block-domains', options.blockDomains.join(','));
}

// Add other flags
if (options.keepContainers) {
args.push('--keep-containers');
Expand Down
97 changes: 97 additions & 0 deletions tests/integration/blocked-domains.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,3 +183,100 @@ describe('Domain Allowlist Edge Cases', () => {
expect(result.stdout).toMatch(/blocked|error|fail/i);
}, 120000);
});

describe('Block Domains Deny-List (--block-domains)', () => {
let runner: AwfRunner;

beforeAll(async () => {
await cleanup(false);
runner = createRunner();
});

afterAll(async () => {
await cleanup(false);
});

test('should block specific subdomain while allowing parent domain', async () => {
const result = await runner.runWithSudo(
'curl -f --max-time 10 https://api.github.com/zen',
{
allowDomains: ['github.com'],
blockDomains: ['api.github.com'],
logLevel: 'debug',
timeout: 60000,
}
);
expect(result).toFail();
}, 120000);

test('should still allow non-blocked subdomains when parent is allowed', async () => {
const result = await runner.runWithSudo(
'curl -f --max-time 10 https://github.com',
{
allowDomains: ['github.com'],
blockDomains: ['api.github.com'],
logLevel: 'debug',
timeout: 60000,
}
);
expect(result).toSucceed();
}, 120000);

test('should block domain that is also in the allow list (block takes precedence)', async () => {
const result = await runner.runWithSudo(
'curl -f --max-time 5 https://example.com',
{
allowDomains: ['example.com'],
blockDomains: ['example.com'],
logLevel: 'debug',
timeout: 60000,
}
);
expect(result).toFail();
}, 120000);

test('should block wildcard pattern while allowing parent domain', async () => {
const result = await runner.runWithSudo(
'curl -f --max-time 10 https://api.github.com/zen',
{
allowDomains: ['github.com'],
blockDomains: ['*.github.com'],
logLevel: 'debug',
timeout: 60000,
}
);
expect(result).toFail();
}, 120000);

test('should handle multiple blocked domains', async () => {
const result = await runner.runWithSudo(
'bash -c "' +
'curl -f --max-time 10 https://api.github.com/zen 2>&1; api_exit=$?; ' +
'curl -f --max-time 10 https://raw.githubusercontent.com 2>&1; raw_exit=$?; ' +
'echo api_exit=$api_exit raw_exit=$raw_exit"',
{
allowDomains: ['github.com', 'githubusercontent.com'],
blockDomains: ['api.github.com', 'raw.githubusercontent.com'],
logLevel: 'debug',
timeout: 60000,
}
);
// Both blocked domains should fail even though their parent domains are allowed
expect(result.stdout).not.toContain('api_exit=0');
expect(result.stdout).not.toContain('raw_exit=0');
}, 120000);
Comment on lines +251 to +267
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test verifies that multiple blocked domains can be configured, but only tests that one domain (api.github.com) is actually blocked. Consider testing both blocked domains to ensure the configuration works correctly for all entries. For example, you could use a bash command that tries to curl both api.github.com and raw.githubusercontent.com and verifies that both fail.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Collaborator Author

@Mossaka Mossaka Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 85e27f7. Updated the test to curl both api.github.com and raw.githubusercontent.com, and added githubusercontent.com to allowDomains so the blocklist (not the allowlist) is what causes the failures.


test('should show blocked domains in debug output', async () => {
const result = await runner.runWithSudo(
'echo "test"',
{
allowDomains: ['github.com'],
blockDomains: ['api.github.com'],
logLevel: 'debug',
timeout: 60000,
}
);
expect(result).toSucceed();
expect(result.stderr).toMatch(/[Bb]locked domains:/i);
}, 120000);
});
Loading