server: restrict container egress CONNECT listener to the managed container

[dknecht]

Motivation

• The egress CONNECT listener accepted tunnels from any peer on the Docker bridge, enabling other containers to use it as an open proxy or access per-container subrequest channels.
• The change aims to restore per-container egress isolation by ensuring only the managed container (sidecar peer) can establish CONNECT tunnels.

Description

• Added ipAddress to InspectResponse returned by ContainerClient::inspectContainer() so the container's IP is available for authorization (src/workerd/server/container-client.h, src/workerd/server/container-client.c++).
• Implemented ContainerClient::isEgressPeerAuthorized(kj::AsyncIoStream&) which calls inspectContainer(), obtains the container IP, retrieves the peer socket address via getpeername(), and compares addresses for IPv4/IPv6; it returns true only when the peer matches the managed container IP (src/workerd/server/container-client.c++).
• Gate the CONNECT handler in EgressHttpService::connect() to call isEgressPeerAuthorized() and reject unauthorized peers with 403 Forbidden and immediately close the connection before accepting/forwarding (src/workerd/server/container-client.c++).
• Updated callsites that destructured inspectContainer() results to match the extended result tuple (src/workerd/server/container-client.c++).

Testing

• Ran bazel test //src/workerd/server/tests/container-client:container-client@, which failed in this environment due to inability to download the Bazel binary (HTTP 403), so automated tests could not complete.
• Performed repository-local static edits and quick code inspection to ensure the new InspectResponse shape is handled at modified callsites and that the CONNECT path now performs authorization; no runtime test harness could be executed in this environment.

---

Codex Task

[github-actions]

The generated output of @cloudflare/workers-types has been changed by this PR. If this is intentional, run just generate-types to update the snapshot. Alternatively, you can download the full generated types:

Full Type Diff

[ask-bonk]

@dknecht Bonk workflow was cancelled.

View workflow run · To retry, trigger Bonk again.

[gabivlj]

Hello, this is not going to work in MacOS as these container addresses are not assigned to a real device in the host.

Personally I dont think I'd be concerned of local dev containers proxying to be exploited to access local dev WorkerEntrypoint, anybody can just run docker exec in the macos machine or do worst things than that. Let me know if there is a disagreement on my view.