filter URL to exclude path, update regex accordingly

This commit is contained in:
Patrick Jones 2021-08-11 14:41:07 -07:00
parent 844e38f109
commit 280ee39d14
2 changed files with 23 additions and 11 deletions

View File

@ -8,6 +8,7 @@ import (
"context" "context"
"fmt" "fmt"
"net/http" "net/http"
"net/url"
"regexp" "regexp"
"strconv" "strconv"
"time" "time"
@ -60,22 +61,29 @@ var (
validTokenURLPatterns = []*regexp.Regexp{ validTokenURLPatterns = []*regexp.Regexp{
// The complicated part in the middle matches any number of characters that // The complicated part in the middle matches any number of characters that
// aren't period, spaces, or slashes. // aren't period, spaces, or slashes.
regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com"), regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.sts\\.googleapis\\.com$"),
regexp.MustCompile("^https://sts\\.googleapis\\.com"), regexp.MustCompile("^https://sts\\.googleapis\\.com$"),
regexp.MustCompile("^https://sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com"), regexp.MustCompile("^https://sts\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"),
regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-sts\\.googleapis\\.com"), regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-sts\\.googleapis\\.com$"),
} }
validImpersonateURLPatterns = []*regexp.Regexp{ validImpersonateURLPatterns = []*regexp.Regexp{
regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.iamcredentials\\.googleapis\\.com"), regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+\\.iamcredentials\\.googleapis\\.com$"),
regexp.MustCompile("^https://iamcredentials\\.googleapis\\.com"), regexp.MustCompile("^https://iamcredentials\\.googleapis\\.com$"),
regexp.MustCompile("^https://iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com"), regexp.MustCompile("^https://iamcredentials\\.[^\\.\\s\\/\\\\]+\\.googleapis\\.com$"),
regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-iamcredentials\\.googleapis\\.com"), regexp.MustCompile("^https://[^\\.\\s\\/\\\\]+-iamcredentials\\.googleapis\\.com$"),
} }
) )
func validateURL(input string, patterns []*regexp.Regexp) bool { func validateURL(input string, patterns []*regexp.Regexp) bool {
parsed, err := url.Parse(input)
if err != nil {
return false
}
path := parsed.Path
toTest := input[0 : len(input)-len(path)]
for _, pattern := range patterns { for _, pattern := range patterns {
valid := pattern.MatchString(input) valid := pattern.MatchString(toTest)
if valid { if valid {
return true return true
} }

View File

@ -107,12 +107,14 @@ func TestValidateURLTokenURL(t *testing.T) {
{"https://sts.googleapis.com", validTokenURLPatterns, true}, {"https://sts.googleapis.com", validTokenURLPatterns, true},
{"https://sts.asfeasfesef.googleapis.com", validTokenURLPatterns, true}, {"https://sts.asfeasfesef.googleapis.com", validTokenURLPatterns, true},
{"https://us-east-1-sts.googleapis.com", validTokenURLPatterns, true}, {"https://us-east-1-sts.googleapis.com", validTokenURLPatterns, true},
{"https://.sts.google.com", validTokenURLPatterns, false}, {"https://sts.googleapis.com/your/path/here", validTokenURLPatterns, true},
{"https://.sts.googleapis.com", validTokenURLPatterns, false},
{"https://badsts.googleapis.com", validTokenURLPatterns, false}, {"https://badsts.googleapis.com", validTokenURLPatterns, false},
{"https://sts.asfe.asfesef.googleapis.com", validTokenURLPatterns, false}, {"https://sts.asfe.asfesef.googleapis.com", validTokenURLPatterns, false},
{"https://sts..googleapis.com", validTokenURLPatterns, false}, {"https://sts..googleapis.com", validTokenURLPatterns, false},
{"https://-sts.googleapis.com", validTokenURLPatterns, false}, {"https://-sts.googleapis.com", validTokenURLPatterns, false},
{"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false}, {"https://us-ea.st-1-sts.googleapis.com", validTokenURLPatterns, false},
{"https://sts.googleapis.com.evil.com/whatever/path", validTokenURLPatterns, false},
} }
for _, tt := range urlValidityTests { for _, tt := range urlValidityTests {
t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability. t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.
@ -124,7 +126,7 @@ func TestValidateURLTokenURL(t *testing.T) {
} }
} }
func TestValidateURLImpersonateURL (t *testing.T) { func TestValidateURLImpersonateURL(t *testing.T) {
var urlValidityTests = []struct { var urlValidityTests = []struct {
input string input string
pattern []*regexp.Regexp pattern []*regexp.Regexp
@ -134,12 +136,14 @@ func TestValidateURLImpersonateURL (t *testing.T) {
{"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true}, {"https://iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
{"https://iamcredentials.asfeasfesef.googleapis.com", validImpersonateURLPatterns, true}, {"https://iamcredentials.asfeasfesef.googleapis.com", validImpersonateURLPatterns, true},
{"https://us-east-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, true}, {"https://us-east-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, true},
{"https://iamcredentials.googleapis.com/your/path/here", validImpersonateURLPatterns, true},
{"https://.iamcredentials.googleapis.com", validImpersonateURLPatterns, false}, {"https://.iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
{"https://badiamcredentials.googleapis.com", validImpersonateURLPatterns, false}, {"https://badiamcredentials.googleapis.com", validImpersonateURLPatterns, false},
{"https://iamcredentials.asfe.asfesef.googleapis.com", validImpersonateURLPatterns, false}, {"https://iamcredentials.asfe.asfesef.googleapis.com", validImpersonateURLPatterns, false},
{"https://iamcredentials..googleapis.com", validImpersonateURLPatterns, false}, {"https://iamcredentials..googleapis.com", validImpersonateURLPatterns, false},
{"https://-iamcredentials.googleapis.com", validImpersonateURLPatterns, false}, {"https://-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
{"https://us-ea.st-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, false}, {"https://us-ea.st-1-iamcredentials.googleapis.com", validImpersonateURLPatterns, false},
{"https://iamcredentials.googleapis.com.evil.com/whatever/path", validImpersonateURLPatterns, false},
} }
for _, tt := range urlValidityTests { for _, tt := range urlValidityTests {
t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability. t.Run(" "+tt.input, func(t *testing.T) { // We prepend a space ahead of the test input when outputting for sake of readability.