google/internal/externalaccount: Adding metadata verification

Change-Id: I4d664862b7b287131c1481b238ebd0875f7c233b GitHub-Last-Rev: 74bcc33 GitHub-Pull-Request: #608 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/449975 Run-TryBot: Cody Oss <codyoss@google.com> Auto-Submit: Cody Oss <codyoss@google.com> Reviewed-by: Leo Siracusa <leosiracusa@google.com> Reviewed-by: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

Author: ScruffyProdigy

google/internal/externalaccount/aws.go

@@ -267,6 +267,49 @@ type awsRequest struct {
 Headers []awsRequestHeader `json:"headers"`
 }
 
+func (cs awsCredentialSource) validateMetadataServers() error {
+if err := cs.validateMetadataServer(cs.RegionURL, "region_url"); err != nil {
+return err
+}
+if err := cs.validateMetadataServer(cs.CredVerificationURL, "url"); err != nil {
+return err
+}
+return cs.validateMetadataServer(cs.IMDSv2SessionTokenURL, "imdsv2_session_token_url")
+}
+
+var validHostnames []string = []string{"169.254.169.254", "fd00:ec2::254"}
+
+func (cs awsCredentialSource) isValidMetadataServer(metadataUrl string) bool {
+if metadataUrl == "" {
+// Zero value means use default, which is valid.
+return true
+}
+
+u, err := url.Parse(metadataUrl)
+if err != nil {
+// Unparseable URL means invalid
+return false
+}
+
+for _, validHostname := range validHostnames {
+if u.Hostname() == validHostname {
+// If it's one of the valid hostnames, everything is good
+return true
+}
+}
+
+// hostname not found in our allowlist, so not valid
+return false
+}
+
+func (cs awsCredentialSource) validateMetadataServer(metadataUrl, urlName string) error {
+if !cs.isValidMetadataServer(metadataUrl) {
+return fmt.Errorf("oauth2/google: invalid hostname %s for %s", metadataUrl, urlName)
+}
+
+return nil
+}
+
 func (cs awsCredentialSource) doRequest(req *http.Request) (*http.Response, error) {
 if cs.client == nil {
 cs.client = oauth2.NewClient(cs.ctx, nil)