google/externalaccount: validate tokenURL and ServiceAccountImpersonationURL

google/internal/externalaccount/basecredentials.go

@@ -7,10 +7,12 @@ package externalaccount
 import (
 	"context"
 	"fmt"
-	"golang.org/x/oauth2"
 	"net/http"
+	"regexp"
 	"strconv"
 	"time"
+
+	"golang.org/x/oauth2"
 )
 
 // now aliases time.Now for testing
@@ -51,14 +53,73 @@ type Config struct {
 	Scopes []string
 }
 
+// Each element consists of a list of patterns.  validateURLs checks for matches
+// that include all elements in a given list, in that order.
+var (
+	validTokenURLPatterns = []string{
+		"https://[^\\.]+\\.sts\\.googleapis\\.com",
+		"https://sts\\.googleapis\\.com",
+		"https://sts\\.[^\\.]+\\.googleapis\\.com",
+		"https://[^\\.]+-sts\\.googleapis\\.com",
+	}
+	validImpersonateURLPatterns = []string{
+		"https://[^\\.]+\\.iamcredentials\\.googleapis\\.com",
+		"https://iamcredentials\\.googleapis\\.com",
+		"https://iamcredentials\\.[^\\.]+\\.googleapis\\.com",
+		"https://[^\\.]+-iamcredentials\\.googleapis\\.com",
+	}
+)
+
+func validateURL(input string, patterns []string) (bool, error) {
+	for _, pattern := range patterns {
+		valid, err := regexp.MatchString(pattern, input)
+		if err != nil {
+			return false, err
+		}
+		if valid {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials.
-func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
+func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error) {
+	return c.tokenSource(ctx, false)
+}
+
+// tokenSource is a private function that's directly called by some of the tests,
+// because the unit test URLs are mocked, and would otherwise fail the
+// validity check.
+func (c *Config) tokenSource(ctx context.Context, testing bool) (oauth2.TokenSource, error) {
+	if !testing {
+		// Check the validity of TokenURL.
+		valid, err := validateURL(c.TokenURL, validTokenURLPatterns)
+		if err != nil {
+			return nil, err
+		}
+		if !valid {
+			return nil, fmt.Errorf("oauth2/google: invalid TokenURL provided while constructing tokenSource")
+		}
+
+		// If ServiceAccountImpersonationURL is present, check its validity.
+		if c.ServiceAccountImpersonationURL != "" {
+			valid, err := validateURL(c.ServiceAccountImpersonationURL, validImpersonateURLPatterns)
+			if err != nil {
+				return nil, err
+			}
+			if !valid {
+				return nil, fmt.Errorf("oauth2/google: invalid ServiceAccountImpersonationURL provided while constructing tokenSource")
+			}
+		}
+	}
+
 	ts := tokenSource{
 		ctx:  ctx,
 		conf: c,
 	}
 	if c.ServiceAccountImpersonationURL == "" {
-		return oauth2.ReuseTokenSource(nil, ts)
+		return oauth2.ReuseTokenSource(nil, ts), nil
 	}
 	scopes := c.Scopes
 	ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
@@ -68,7 +129,7 @@ func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
 		scopes: scopes,
 		ts:     oauth2.ReuseTokenSource(nil, ts),
 	}
-	return oauth2.ReuseTokenSource(nil, imp)
+	return oauth2.ReuseTokenSource(nil, imp), nil
 }
 
 // Subject token file types.

google/internal/externalaccount/basecredentials_test.go

@@ -95,3 +95,43 @@ func TestToken(t *testing.T) {
 	}
 
 }
+
+func TestValidateURL(t *testing.T) {
+	var urlValidityTests = []struct {
+		input   string
+		pattern []string
+		result  bool
+	}{
+		{"https://sts.googleapis.com", validTokenURLPatterns, true},
+		{"https://.sts.google.com", validTokenURLPatterns, false},
+		{"https://badsts.googleapis.com", validTokenURLPatterns, false},
+		{"https://sts.asfeasfesef.googleapis.com", validTokenURLPatterns, true},
+		{"https://sts.asfe.asfesef.googleapis.com", validTokenURLPatterns, false},
+		{"https://sts..googleapis.com", validTokenURLPatterns, false},
+		{"https://-sts.googleapis.com", validTokenURLPatterns, false},
+		{"https://us-east-1-sts.googleapis.com", validTokenURLPatterns, true},
+		{"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false},
+		// Repeat for iamcredentials as well
+		{"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
+		{"https://.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://badiamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://iamcredentials.asfeasfesef.googleapis.com", validImpersonateURLPatterns, true},
+		{"https://iamcredentials.asfe.asfesef.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://iamcredentials..googleapis.com", validImpersonateURLPatterns, false},
+		{"https://-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://us-east-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
+		{"https://us-ea.st-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+	}
+	for _, tt := range urlValidityTests {
+		t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
+			valid, err := validateURL(tt.input, tt.pattern)
+			if err != nil {
+				t.Errorf("validateURL returned an error: %v", err)
+				return
+			}
+			if valid != tt.result {
+				t.Errorf("got %v, want %v", valid, tt.result)
+			}
+		})
+	}
+}

google/internal/externalaccount/clientauth.go

@@ -6,9 +6,10 @@ package externalaccount
 
 import (
 	"encoding/base64"
-	"golang.org/x/oauth2"
 	"net/http"
 	"net/url"
+
+	"golang.org/x/oauth2"
 )
 
 // clientAuthentication represents an OAuth client ID and secret and the mechanism for passing these credentials as stated in rfc6749#2.3.1.

google/internal/externalaccount/clientauth_test.go

@@ -5,11 +5,12 @@
 package externalaccount
 
 import (
-	"golang.org/x/oauth2"
 	"net/http"
 	"net/url"
 	"reflect"
 	"testing"
+
+	"golang.org/x/oauth2"
 )
 
 var clientID = "rbrgnognrhongo3bi4gb9ghg9g"

google/internal/externalaccount/impersonate.go

@@ -9,11 +9,12 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"golang.org/x/oauth2"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"time"
+
+	"golang.org/x/oauth2"
 )
 
 // generateAccesstokenReq is used for service account impersonation

google/internal/externalaccount/impersonate_test.go

@@ -6,6 +6,7 @@ package externalaccount
 
 import (
 	"context"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -76,7 +77,11 @@ func TestImpersonation(t *testing.T) {
 	defer targetServer.Close()
 
 	testImpersonateConfig.TokenURL = targetServer.URL
-	ourTS := testImpersonateConfig.TokenSource(context.Background())
+	ourTS, err := testImpersonateConfig.tokenSource(context.Background(), true)
+	if err != nil {
+		fmt.Println(testImpersonateConfig.TokenURL)
+		t.Fatalf("Failed to create TokenSource: %v", err)
+	}
 
 	oldNow := now
 	defer func() { now = oldNow }()

google/internal/externalaccount/sts_exchange_test.go

@@ -7,12 +7,13 @@ package externalaccount
 import (
 	"context"
 	"encoding/json"
-	"golang.org/x/oauth2"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
+
+	"golang.org/x/oauth2"
 )
 
 var auth = clientAuthentication{

google/internal/externalaccount/urlcredsource.go

@@ -9,10 +9,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"golang.org/x/oauth2"
 	"io"
 	"io/ioutil"
 	"net/http"
+
+	"golang.org/x/oauth2"
 )
 
 type urlCredentialSource struct {