From 280ee39d146339b9d4f96b5e0a748d9c1b4ac7ca Mon Sep 17 00:00:00 2001
From: Patrick Jones <ithuriel@google.com>
Date: Wed, 11 Aug 2021 14:41:07 -0700
Subject: [PATCH] filter URL to exclude path, update regex accordingly

---
 .../externalaccount/basecredentials.go        | 26 ++++++++++++-------
 .../externalaccount/basecredentials_test.go   |  8 ++++--
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go
index f2f2dfe..ec0a1a9 100644
--- a/google/internal/externalaccount/basecredentials.go
+++ b/google/internal/externalaccount/basecredentials.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strconv"
 	"time"
@@ -60,22 +61,29 @@ var (
 	validTokenURLPatterns = []*regexp.Regexp{
 		// The complicated part in the middle matches any number of characters that
 		// aren't period, spaces, or slashes.
-		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com"),
-		regexp.MustCompile("^https://sts\\.googleapis\\.com"),
-		regexp.MustCompile("^https://sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com"),
-		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-sts\\.googleapis\\.com"),
+		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$"),
+		regexp.MustCompile("^https://sts\\.googleapis\\.com$"),
+		regexp.MustCompile("^https://sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"),
+		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-sts\\.googleapis\\.com$"),
 	}
 	validImpersonateURLPatterns = []*regexp.Regexp{
-		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.iamcredentials\\.googleapis\\.com"),
-		regexp.MustCompile("^https://iamcredentials\\.googleapis\\.com"),
-		regexp.MustCompile("^https://iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com"),
-		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-iamcredentials\\.googleapis\\.com"),
+		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.iamcredentials\\.googleapis\\.com$"),
+		regexp.MustCompile("^https://iamcredentials\\.googleapis\\.com$"),
+		regexp.MustCompile("^https://iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"),
+		regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-iamcredentials\\.googleapis\\.com$"),
 	}
 )
 
 func validateURL(input string, patterns []*regexp.Regexp) bool {
+	parsed, err := url.Parse(input)
+	if err != nil {
+		return false
+	}
+	path := parsed.Path
+	toTest := input[0 : len(input)-len(path)]
+
 	for _, pattern := range patterns {
-		valid := pattern.MatchString(input)
+		valid := pattern.MatchString(toTest)
 		if valid {
 			return true
 		}
diff --git a/google/internal/externalaccount/basecredentials_test.go b/google/internal/externalaccount/basecredentials_test.go
index 34c5542..2a23e5f 100644
--- a/google/internal/externalaccount/basecredentials_test.go
+++ b/google/internal/externalaccount/basecredentials_test.go
@@ -107,12 +107,14 @@ func TestValidateURLTokenURL(t *testing.T) {
 		{"https://sts.googleapis.com", validTokenURLPatterns, true},
 		{"https://sts.asfeasfesef.googleapis.com", validTokenURLPatterns, true},
 		{"https://us-east-1-sts.googleapis.com", validTokenURLPatterns, true},
-		{"https://.sts.google.com", validTokenURLPatterns, false},
+		{"https://sts.googleapis.com/your/path/here", validTokenURLPatterns, true},
+		{"https://.sts.googleapis.com", validTokenURLPatterns, false},
 		{"https://badsts.googleapis.com", validTokenURLPatterns, false},
 		{"https://sts.asfe.asfesef.googleapis.com", validTokenURLPatterns, false},
 		{"https://sts..googleapis.com", validTokenURLPatterns, false},
 		{"https://-sts.googleapis.com", validTokenURLPatterns, false},
 		{"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false},
+		{"https://sts.googleapis.com.evil.com/whatever/path", validTokenURLPatterns, false},
 	}
 	for _, tt := range urlValidityTests {
 		t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
@@ -124,7 +126,7 @@ func TestValidateURLTokenURL(t *testing.T) {
 	}
 }
 
-func TestValidateURLImpersonateURL (t *testing.T) {
+func TestValidateURLImpersonateURL(t *testing.T) {
 	var urlValidityTests = []struct {
 		input   string
 		pattern []*regexp.Regexp
@@ -134,12 +136,14 @@ func TestValidateURLImpersonateURL (t *testing.T) {
 		{"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
 		{"https://iamcredentials.asfeasfesef.googleapis.com", validImpersonateURLPatterns, true},
 		{"https://us-east-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
+		{"https://iamcredentials.googleapis.com/your/path/here", validImpersonateURLPatterns, true},
 		{"https://.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
 		{"https://badiamcredentials.googleapis.com", validImpersonateURLPatterns, false},
 		{"https://iamcredentials.asfe.asfesef.googleapis.com", validImpersonateURLPatterns, false},
 		{"https://iamcredentials..googleapis.com", validImpersonateURLPatterns, false},
 		{"https://-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
 		{"https://us-ea.st-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
+		{"https://iamcredentials.googleapis.com.evil.com/whatever/path", validImpersonateURLPatterns, false},
 	}
 	for _, tt := range urlValidityTests {
 		t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.