From baa233ed3aea85c96fef891b23ab1d7c9432d0a6 Mon Sep 17 00:00:00 2001 From: hfuss Date: Thu, 9 Nov 2023 07:53:39 -0500 Subject: [PATCH 1/3] [dns] Fix for Invalid IP4 Address Signed-off-by: hfuss --- internal/events/eventstream.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/events/eventstream.go b/internal/events/eventstream.go index 49a38295..6293c82f 100644 --- a/internal/events/eventstream.go +++ b/internal/events/eventstream.go @@ -764,7 +764,8 @@ func (a *eventStream) performActionWithRetry(batchNumber uint64, events []*event func (a *eventStream) isAddressUnsafe(ip *net.IPAddr) bool { ip4 := ip.IP.To4() return !a.allowPrivateIPs && - (ip4[0] == 0 || + (len(ip4) < 1 || + ip4[0] == 0 || ip4[0] >= 224 || ip4[0] == 127 || ip4[0] == 10 || From 9e8b9ec6e55324fdb424010294762664ec61b248 Mon Sep 17 00:00:00 2001 From: hfuss Date: Thu, 9 Nov 2023 11:51:27 -0500 Subject: [PATCH 2/3] separate url validation func w/ basic unit test Signed-off-by: hfuss --- internal/events/webhooks.go | 25 ++++++++++++++++++------- internal/events/webhooks_test.go | 22 ++++++++++++++++++++++ 2 files changed, 40 insertions(+), 7 deletions(-) create mode 100644 internal/events/webhooks_test.go diff --git a/internal/events/webhooks.go b/internal/events/webhooks.go index 8b2f5cfc..297a4a56 100644 --- a/internal/events/webhooks.go +++ b/internal/events/webhooks.go @@ -54,16 +54,10 @@ func newWebhookAction(es *eventStream, spec *webhookActionInfo) (*webhookAction, func (w *webhookAction) attemptBatch(batchNumber, attempt uint64, events []*eventData) error { // We perform DNS resolution before each attempt, to exclude private IP address ranges from the target esID := w.es.spec.ID - u, _ := url.Parse(w.spec.URL) - addr, err := net.ResolveIPAddr("ip4", u.Hostname()) + u, addr, err := w.validateURL() if err != nil { return err } - if w.es.isAddressUnsafe(addr) { - err := errors.Errorf(errors.EventStreamsWebhookProhibitedAddress, u.Hostname()) - log.Errorf(err.Error()) - return err - } // Set the timeout var transport = &http.Transport{ Proxy: http.ProxyFromEnvironment, @@ -114,3 +108,20 @@ func (w *webhookAction) attemptBatch(batchNumber, attempt uint64, events []*even } return err } + +func (w *webhookAction) validateURL() (*url.URL, *net.IPAddr, error) { + u, err := url.Parse(w.spec.URL) + if err != nil { + return nil, nil, err + } + addr, err := net.ResolveIPAddr("ip4", u.Hostname()) + if err != nil { + return nil, nil, err + } + if w.es.isAddressUnsafe(addr) { + err := errors.Errorf(errors.EventStreamsWebhookProhibitedAddress, u.Hostname()) + log.Errorf(err.Error()) + return nil, nil, err + } + return u, addr, nil +} diff --git a/internal/events/webhooks_test.go b/internal/events/webhooks_test.go new file mode 100644 index 00000000..6b13b785 --- /dev/null +++ b/internal/events/webhooks_test.go @@ -0,0 +1,22 @@ +package events + +import ( + "github.com/stretchr/testify/assert" + "testing" +) + +func TestValidateURL(t *testing.T) { + w := &webhookAction{ + es: nil, + spec: &webhookActionInfo{ + URL: "badurl", + }, + } + + _, _, err := w.validateURL() + assert.Error(t, err) + + w.spec.URL = "https://google.com" + _, _, err = w.validateURL() + assert.NoError(t, err) +} From 2461f1e8dce9590d5d033877a58ecd289cd1bfe8 Mon Sep 17 00:00:00 2001 From: hfuss Date: Thu, 9 Nov 2023 11:55:15 -0500 Subject: [PATCH 3/3] unit test fix Signed-off-by: hfuss --- internal/events/webhooks_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/events/webhooks_test.go b/internal/events/webhooks_test.go index 6b13b785..3d0c5685 100644 --- a/internal/events/webhooks_test.go +++ b/internal/events/webhooks_test.go @@ -7,7 +7,9 @@ import ( func TestValidateURL(t *testing.T) { w := &webhookAction{ - es: nil, + es: &eventStream{ + allowPrivateIPs: false, + }, spec: &webhookActionInfo{ URL: "badurl", },