Skip to content

Commit

Permalink
Check the host header to mitigate a DNS rebinding attack
Browse files Browse the repository at this point in the history
  • Loading branch information
mtibben committed May 5, 2020
1 parent 08380e6 commit 8a75233
Showing 1 changed file with 16 additions and 1 deletion.
17 changes: 16 additions & 1 deletion server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
)

const (
metadataIP = "169.254.169.254"
metadataBind = "169.254.169.254:80"
awsTimeFormat = "2006-01-02T15:04:05Z"
localServerUrl = "http://127.0.0.1:9099"
Expand Down Expand Up @@ -58,7 +59,13 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
}

func credentialsHandler(w http.ResponseWriter, r *http.Request) {
resp, err := http.Get(localServerUrl)
req, err := http.NewRequest("GET", localServerUrl, nil)
if err != nil {
log.Fatal(err)
}
req.Host = r.Host // pass through the host so we can check for the DNS rebinding attack

resp, err := http.DefaultClient.Do(req)
if err != nil {
http.Error(w, err.Error(), http.StatusGatewayTimeout)
return
Expand Down Expand Up @@ -142,6 +149,14 @@ func StartCredentialsServer(creds *vault.VaultCredentials) error {
return
}

// Check that the request is to 169.254.169.254
// Without this it's possible for an attacker to mount a DNS rebinding attack
// See https://github.com/99designs/aws-vault/issues/578
if r.Host != metadataIP {
http.Error(w, fmt.Sprintf("Access denied for host '%s'", r.Host), http.StatusUnauthorized)
return
}

log.Printf("RemoteAddr = %v", r.RemoteAddr)
log.Printf("Credentials.IsExpired() = %#v", creds.IsExpired())

Expand Down

0 comments on commit 8a75233

Please sign in to comment.