[Plugin] Create URL Reputation Plugin using Plugin Framework

[crivetimihai]

Overview

Create a URL Reputation Plugin that performs static URL reputation checks using blocked domains and patterns to prevent access to malicious resources.

Plugin Requirements

Plugin Details

• Name: UrlReputationPlugin
• Type: Self-contained (native) plugin
• File Location: plugins/url_reputation/
• Complexity: Medium

Functionality

• Static URL reputation checking against blocklists
• Domain-based and pattern-based filtering
• Support for wildcard and regex patterns
• IP address and CIDR block filtering
• Allowlist override capabilities

Hook Integration

• Primary Hooks: resource_pre_fetch
• Purpose: Block access to known malicious or unwanted domains/URLs
• Behavior: Prevent resource fetching from blocked domains or patterns

Configuration Schema

plugins:
  - name: "UrlReputation"
    kind: "plugins.url_reputation.checker.UrlReputationPlugin"
    description: "Static URL reputation checks using blocked domains/patterns"
    version: "0.1.0"
    hooks: ["resource_pre_fetch"]
    mode: "enforce"
    priority: 22
    config:
      # Blocked domains (exact match)
      blocked_domains:
        - "malicious-site.com"
        - "phishing-example.net"
        - "spam-domain.org"
        - "suspicious-api.io"
      
      # Blocked domain patterns (wildcard and regex)
      blocked_patterns:
        - "*.suspicious-network.com"
        - "phish*"
        - ".*\\.tk$"  # Block .tk domains
        - ".*\\.ml$"  # Block .ml domains
        - "bit\\.ly/[a-zA-Z0-9]{6}"  # Suspicious short URLs
      
      # IP address filtering
      blocked_ips:
        - "192.168.1.100"
        - "10.0.0.50"
      
      # CIDR block filtering
      blocked_cidrs:
        - "172.16.0.0/12"
        - "192.168.0.0/16"
        - "127.0.0.0/8"
      
      # URL pattern matching
      url_patterns:
        blocked_paths:
          - "/malware/*"
          - "/exploit/*"
          - "*/admin/backdoor*"
        blocked_queries:
          - "cmd=*"
          - "exec=*"
          - "eval=*"
      
      # Allowlist (overrides blocks)
      allowlist:
        domains:
          - "trusted-domain.com"
          - "api.company.com"
        patterns:
          - "*.github.com"
          - "*.stackoverflow.com"
        ips:
          - "8.8.8.8"  # Google DNS
          - "1.1.1.1"  # Cloudflare DNS
      
      # Reputation sources integration
      reputation_sources:
        - name: "internal_blocklist"
          enabled: true
          file_path: "data/internal_blocked_domains.txt"
          update_interval: 3600
        - name: "threat_intel_feed"
          enabled: false
          url: "https://feeds.example.com/malicious-domains.txt"
          api_key: "${THREAT_INTEL_API_KEY}"
          update_interval: 1800
      
      # URL processing
      url_processing:
        normalize_urls: true
        check_redirects: true
        max_redirect_depth: 3
        resolve_shorteners: true
        shortener_domains:
          - "bit.ly"
          - "tinyurl.com"
          - "t.co"
          - "goo.gl"
      
      # Response handling
      response:
        block_message: "URL blocked by reputation filter"
        include_reason: true
        log_blocked_requests: true
        alert_on_block: false
      
      # Performance settings
      performance:
        cache_results: true
        cache_ttl_seconds: 300
        max_cache_entries: 1000
        async_reputation_checks: true

Acceptance Criteria

• Plugin implements UrlReputationPlugin class
• Static domain and pattern-based blocking
• IP address and CIDR block filtering
• Wildcard and regex pattern support
• Allowlist override functionality
• URL normalization and redirect handling
• Short URL expansion support
• External reputation feed integration
• Result caching for performance
• Plugin manifest and documentation created
• Unit tests with >90% coverage
• Integration tests with various URL patterns

Priority

High - Critical security feature