fix: -allow and -deny flags

[noaho]

Summary

Fixes non-functional IP filtering in httpx where -allow and -deny flags were being parsed but never applied to the
NetworkPolicy instance.

Changes

• Add missing AllowList and DenyList integration in createNetworkpolicyInstance()
• Add test coverage to validate IP filtering behavior

Problem

The -allow and -deny command-line flags were not being passed to the NetworkPolicy instance during initialization,
causing all IP filtering to be ignored. IPs that should have been blocked were allowed through.

Testing

Added TestCreateNetworkpolicyInstance_AllowDenyFlags which validates:

• Allow flag correctly blocks IPs outside allowed ranges
• Deny flag correctly blocks IPs in denied ranges
• Both flags work independently and together

Examples

# These now work correctly:
echo "8.8.8.8" | ./httpx -allow 1.1.1.0/24     # Blocked (not in allowed range)
echo "8.8.8.8" | ./httpx -deny 8.8.8.0/24      # Blocked (in denied range)
echo "1.1.1.1" | ./httpx -allow 1.1.1.0/24     # Allowed (in allowed range)

Summary by CodeRabbit

• New Features

  • Allow and Deny lists now accept ASNs and automatically expand them into concrete IP entries so network policies apply correctly to ASN-specified ranges.

• Tests

  • Added tests covering Allow/Deny scenarios (single, combined, multiple ranges) to verify correct allow/block behavior and stable policy instance creation.

[coderabbitai]

Walkthrough

Adds ASN-aware expansion for Allow and Deny entries when building network policy options and a unit test validating Allow/Deny behavior across multiple scenarios.

Changes

Cohort / File(s)	Change Summary
Network Policy Allow/Deny Integration runner/runner.go	Add private helper appendToList(list []string, values ...string) []string and use it to augment npOptions.AllowList and npOptions.DenyList by expanding ASN inputs into CIDRs/IPs via existing ASN/CIDR helpers before appending.
Network Policy Allow/Deny Tests runner/runner_test.go	Add TestCreateNetworkpolicyInstance_AllowDenyFlags covering Allow-only, Deny-only, combined, and multiple-range scenarios using the instance Validate method to assert allow/deny behavior.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as CreateNetworkpolicyInstance
    participant Options as CLI Options
    participant Helper as appendToList
    participant ASN as asn package
    participant CIDR as CIDR expander
    participant NPOpts as npOptions
    participant NP as NetworkPolicy

    Caller->>Options: read Allow/Deny/Exclude flags
    Caller->>NPOpts: populate from Exclude and other flags
    Caller->>Helper: appendToList(NPOpts.AllowList, options.Allow...)
    Helper->>ASN: IsASN? / GetCIDRsForASNNum
    ASN->>CIDR: return CIDRs
    CIDR->>Helper: expand CIDR -> IPs
    Helper-->>NPOpts: return augmented AllowList
    Caller->>Helper: appendToList(NPOpts.DenyList, options.Deny...)
    Helper-->>NPOpts: return augmented DenyList
    Caller->>NP: New(NetworkPolicy, NPOpts)
    NP-->>Caller: instance / error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Poem

I hop through flags both near and far,
ASN peels back to each small star.
Allow and Deny — I sort their tunes,
Tests clap paws beneath the moons.
A rabbit's cheer for tidy runes. 🐇

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7835de7 and 9b0acdd.

📒 Files selected for processing (1)

• runner/runner.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• runner/runner.go

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

runner/runner_test.go (1)

226-258: Solid test coverage for Allow and Deny flags.

The test comprehensively validates both the -allow and -deny flag functionality by:

• Verifying that IPs outside the allowed range are blocked when using -allow
• Confirming that IPs within a denied range are blocked when using -deny
• Testing that appropriate IPs are permitted in each scenario

Consider adding a test case that validates the behavior when both -allow and -deny flags are used together, as mentioned in the PR objectives that "the flags work both independently and in combination."

+	// Test Allow and Deny flags together
+	options = &Options{}
+	options.Allow = []string{"192.168.0.0/16"}
+	options.Deny = []string{"192.168.1.0/24"}
+	
+	np, err = runner.createNetworkpolicyInstance(options)
+	require.Nil(t, err, "could not create networkpolicy instance")
+	
+	// Should block IP in denied range even if in allowed range
+	allowed = np.Validate("192.168.1.10")
+	require.False(t, allowed, "IP in denied range should be blocked even if in allowed range")
+	
+	// Should allow IP in allowed range but not in denied range
+	allowed = np.Validate("192.168.2.10")
+	require.True(t, allowed, "IP in allowed range but not denied range should be allowed")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between faac44c and 93e9581.

📒 Files selected for processing (2)

• runner/runner.go (1 hunks)
• runner/runner_test.go (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: noaho
PR: projectdiscovery/httpx#2227
File: runner/runner.go:1308-1329
Timestamp: 2025-08-01T06:38:23.971Z
Learning: In the httpx codebase, normal IP inputs go through network policy validation via skip() method which validates URL.Host, but vhost-input format bypasses this validation since skip() only validates the hostname portion (target.Host) and not the actual target IP (target.CustomIP), creating a potential security bypass.

Learnt from: noaho
PR: projectdiscovery/httpx#2227
File: runner/runner.go:1308-1329
Timestamp: 2025-08-01T06:18:09.303Z
Learning: In the httpx codebase, IP validation occurs at multiple layers: parseVhostInput for format validation, and later via network policy validation in the skip() method. The codebase pattern extensively uses iputil utility functions for input validation, suggesting early IP validation is appropriate and consistent with the architecture.

🔇 Additional comments (1)

runner/runner.go (1)

415-419: LGTM! Clean integration of Allow and Deny flags.

The fix correctly integrates the -allow and -deny command-line flags into the network policy by appending options.Allow and options.Deny to the respective npOptions lists before creating the network policy instance. This ensures the flags are properly enforced, addressing the bug where they were parsed but not applied.

[noaho]

I added extra tests for flags being used together.

[noaho]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved.

[dogancanbakir]

LGTM; good catch - left a comment for you,

[Mzack9999]

@coderabbitai resolve

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ee6a467 and 7835de7.

📒 Files selected for processing (1)

• runner/runner.go (1 hunks)

🔇 Additional comments (1)

runner/runner.go (1)

415-418: Wiring -allow/-deny into NetworkPolicy is correct and fixes the bug

Hooking Options.Allow and Options.Deny into npOptions fixes the root cause where flags were parsed but ignored. This aligns with the PR objective and associated tests.

[coderabbitai]

✅ Actions performed

Comments resolved.