Merge pull request #533 from MarkOtzen/port-blocking

Mzack9999 · web-flow · commit 9d4035718343 · 2026-03-19T03:22:32.000+01:00
Implement OnValidateTarget callback for target validation hooking
diff --git a/fastdialer/dialer_private.go b/fastdialer/dialer_private.go
@@ -10,6 +10,7 @@ import (
 	"log/slog"
 	"net"
 	"os"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -127,15 +128,30 @@ func (d *Dialer) dial(ctx context.Context, opts *dialOptions) (conn net.Conn, er
 
 		filteredIPs := []string{}
 
+		portInt, _ := strconv.Atoi(port)
+
 		// filter valid/invalid ips
 		for _, ip := range IPS {
-			// check if we have allow/deny list
 			if !d.networkpolicy.Validate(ip) {
 				if d.options.OnInvalidTarget != nil {
 					d.options.OnInvalidTarget(hostname, ip, port)
 				}
 				continue
 			}
+			if !d.validatePort(portInt) {
+				if d.options.OnInvalidTarget != nil {
+					d.options.OnInvalidTarget(hostname, ip, port)
+				}
+				continue
+			}
+			if d.options.OnValidateTarget != nil {
+				if err := d.options.OnValidateTarget(hostname, ip, port); err != nil {
+					if d.options.OnInvalidTarget != nil {
+						d.options.OnInvalidTarget(hostname, ip, port)
+					}
+					continue
+				}
+			}
 			if d.options.OnBeforeDial != nil {
 				d.options.OnBeforeDial(hostname, ip, port)
 			}
@@ -436,3 +452,20 @@ func closeAfterTimeout(d time.Duration, c ...io.Closer) context.CancelFunc {
 
 	return ctxDone
 }
+
+func (d *Dialer) validatePort(port int) bool {
+	for _, p := range d.options.DenyPortList {
+		if p == port {
+			return false
+		}
+	}
+	if len(d.options.AllowPortList) > 0 {
+		for _, p := range d.options.AllowPortList {
+			if p == port {
+				return true
+			}
+		}
+		return false
+	}
+	return true
+}
diff --git a/fastdialer/dialer_private_test.go b/fastdialer/dialer_private_test.go
@@ -96,7 +96,7 @@ func TestDial(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Failed to start listener: %v", err)
 		}
-		defer listener.Close()
+		defer func() { _ = listener.Close() }()
 
 		serverAddr := listener.Addr().String()
 
@@ -109,7 +109,7 @@ func TestDial(t *testing.T) {
 
 				// hold conn w/o completing handshake
 				time.Sleep(5 * time.Second)
-				conn.Close()
+				_ = conn.Close()
 			}
 		}()
 
@@ -138,7 +138,7 @@ func TestDial(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Failed to start listener: %v", err)
 		}
-		defer listener.Close()
+		defer func() { _ = listener.Close() }()
 
 		serverAddr := listener.Addr().String()
 
@@ -149,7 +149,7 @@ func TestDial(t *testing.T) {
 					return
 				}
 				time.Sleep(5 * time.Second)
-				conn.Close()
+				_ = conn.Close()
 			}
 		}()
 
diff --git a/fastdialer/dialer_test.go b/fastdialer/dialer_test.go
@@ -2,6 +2,8 @@ package fastdialer
 
 import (
 	"context"
+	"errors"
+	"sync"
 	"testing"
 )
 
@@ -57,3 +59,216 @@ func testDialer(t *testing.T, options Options) {
 		t.Error("no A results found")
 	}
 }
+
+func TestDialerPortPolicy(t *testing.T) {
+	t.Run("DenyPortBlocks", func(t *testing.T) {
+		options := DefaultOptions
+		options.DenyPortList = []int{80}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if conn != nil {
+			_ = conn.Close()
+		}
+		if err != NoAddressAllowedError {
+			t.Fatalf("expected NoAddressAllowedError for denied port, got: %v", err)
+		}
+	})
+
+	t.Run("DenyPortAllowsOther", func(t *testing.T) {
+		options := DefaultOptions
+		options.DenyPortList = []int{8081}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if err != nil || conn == nil {
+			t.Fatalf("expected connection to succeed on non-denied port, got: %v", err)
+		}
+		_ = conn.Close()
+	})
+
+	t.Run("AllowPortPermits", func(t *testing.T) {
+		options := DefaultOptions
+		options.AllowPortList = []int{80, 443}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if err != nil || conn == nil {
+			t.Fatalf("expected connection to succeed on allowed port, got: %v", err)
+		}
+		_ = conn.Close()
+	})
+
+	t.Run("AllowPortBlocksOther", func(t *testing.T) {
+		options := DefaultOptions
+		options.AllowPortList = []int{443}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if conn != nil {
+			_ = conn.Close()
+		}
+		if err != NoAddressAllowedError {
+			t.Fatalf("expected NoAddressAllowedError for non-allowed port, got: %v", err)
+		}
+	})
+
+	t.Run("NoPortPolicyUnchanged", func(t *testing.T) {
+		options := DefaultOptions
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if err != nil || conn == nil {
+			t.Fatalf("expected connection to succeed without port policy, got: %v", err)
+		}
+		_ = conn.Close()
+	})
+
+	t.Run("DenyPortTriggersOnInvalidTarget", func(t *testing.T) {
+		options := DefaultOptions
+		options.DenyPortList = []int{80}
+
+		var invalidCalled bool
+		var mu sync.Mutex
+		options.OnInvalidTarget = func(hostname, ip, port string) {
+			mu.Lock()
+			invalidCalled = true
+			mu.Unlock()
+		}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, _ := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if conn != nil {
+			_ = conn.Close()
+		}
+
+		mu.Lock()
+		called := invalidCalled
+		mu.Unlock()
+		if !called {
+			t.Error("OnInvalidTarget was not called for denied port")
+		}
+	})
+}
+
+func TestDialerTargetValidation(t *testing.T) {
+	t.Run("ValidTarget", func(t *testing.T) {
+		options := DefaultOptions
+
+		var validateCalled bool
+		options.OnValidateTarget = func(hostname, ip, port string) error {
+			validateCalled = true
+			if hostname != "www.projectdiscovery.io" {
+				return errors.New("invalid hostname")
+			}
+			return nil
+		}
+
+		var invalidCalled bool
+		options.OnInvalidTarget = func(hostname, ip, port string) {
+			invalidCalled = true
+		}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if err != nil || conn == nil {
+			t.Fatalf("couldn't connect to target: %s", err)
+		}
+		defer func() {
+			_ = conn.Close()
+		}()
+
+		if !validateCalled {
+			t.Error("OnValidateTarget was not called")
+		}
+		if invalidCalled {
+			t.Error("OnInvalidTarget was called for a valid target")
+		}
+	})
+
+	t.Run("InvalidTarget", func(t *testing.T) {
+		options := DefaultOptions
+
+		var validateCalled bool
+		options.OnValidateTarget = func(hostname, ip, port string) error {
+			validateCalled = true
+			return errors.New("target rejected")
+		}
+
+		var invalidCalled bool
+		var mu sync.Mutex
+		options.OnInvalidTarget = func(hostname, ip, port string) {
+			mu.Lock()
+			invalidCalled = true
+			mu.Unlock()
+		}
+
+		fd, err := NewDialer(options)
+		if err != nil {
+			t.Fatalf("couldn't create fastdialer instance: %s", err)
+		}
+		defer fd.Close()
+
+		ctx := context.Background()
+		conn, err := fd.Dial(ctx, "tcp", "www.projectdiscovery.io:80")
+		if err != NoAddressAllowedError {
+			if conn != nil {
+				_ = conn.Close()
+			}
+			t.Fatalf("expected NoAddressAllowedError, got: %v", err)
+		}
+
+		if !validateCalled {
+			t.Error("OnValidateTarget was not called")
+		}
+
+		mu.Lock()
+		called := invalidCalled
+		mu.Unlock()
+		if !called {
+			t.Error("OnInvalidTarget was not called for an invalid target")
+		}
+	})
+}
diff --git a/fastdialer/options.go b/fastdialer/options.go
@@ -57,6 +57,9 @@ type Options struct {
 	WithZTLS                 bool
 	SNIName                  string
 	OnBeforeDial             func(hostname, IP, port string)
+	// OnValidateTarget is called after network policy validation and before dialing.
+	// If it returns an error, the target is considered invalid.
+	OnValidateTarget         func(hostname, IP, port string) error
 	OnInvalidTarget          func(hostname, IP, port string)
 	OnDialCallback           func(hostname, IP string)
 	DisableZtlsFallback      bool

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func TestDial(t *testing.T) {`
`96`	`96`	`if err != nil {`
`97`	`97`	`t.Fatalf("Failed to start listener: %v", err)`
`98`	`98`	`}`
`99`		`- defer listener.Close()`
	`99`	`+ defer func() { _ = listener.Close() }()`
`100`	`100`
`101`	`101`	`serverAddr := listener.Addr().String()`
`102`	`102`
`@@ -109,7 +109,7 @@ func TestDial(t *testing.T) {`
`109`	`109`
`110`	`110`	`// hold conn w/o completing handshake`
`111`	`111`	`time.Sleep(5 * time.Second)`
`112`		`- conn.Close()`
	`112`	`+ _ = conn.Close()`
`113`	`113`	`}`
`114`	`114`	`}()`
`115`	`115`
`@@ -138,7 +138,7 @@ func TestDial(t *testing.T) {`
`138`	`138`	`if err != nil {`
`139`	`139`	`t.Fatalf("Failed to start listener: %v", err)`
`140`	`140`	`}`
`141`		`- defer listener.Close()`
	`141`	`+ defer func() { _ = listener.Close() }()`
`142`	`142`
`143`	`143`	`serverAddr := listener.Addr().String()`
`144`	`144`
`@@ -149,7 +149,7 @@ func TestDial(t *testing.T) {`
`149`	`149`	`return`
`150`	`150`	`}`
`151`	`151`	`time.Sleep(5 * time.Second)`
`152`		`- conn.Close()`
	`152`	`+ _ = conn.Close()`
`153`	`153`	`}`
`154`	`154`	`}()`
`155`	`155`