-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Validate url domain for aws metadata urls #1079
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with couple small comments
try { | ||
URL url = new URL(urlString); | ||
String host = url.getHost(); | ||
if (!host.equals("169.254.169.254") && !host.equals("[fd00:ec2::254]")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both constants are GCE-specific, better add as package constants (static final) to the ComputeEngineCredentials
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are AWS mds endpoints. 169.254.169.254 is same one used by GCE as well I guess. But I do not find any documentation about the ipv6 one for GCE
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Sai
oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
Outdated
Show resolved
Hide resolved
oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
Outdated
Show resolved
Hide resolved
* fix: Validate url domain for aws metadata urls * fix external account tests * static method and split tests * rename param:
Updating AWS credential source validation as per new updates in AIP. Make sure the host of url, region_url and imdsv2 session token url belong to AWS metadata server.
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
Fixes #<issue_number_goes_here> ☕️
If you write sample code, please follow the samples format.