Check the host header to mitigate a DNS rebinding attack

99designs · May 7, 2020 · ae36903 · ae36903
1 parent 06cb65b
commit ae36903
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/server/server.go b/server/server.go
@@ -13,6 +13,7 @@ import (
 )
 
 const (
+	metadataIP      = "169.254.169.254"
 	metadataBind    = "169.254.169.254:80"
 	awsTimeFormat   = "2006-01-02T15:04:05Z"
 	localServerURL  = "http://127.0.0.1:9099"
@@ -50,7 +51,13 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func credentialsHandler(w http.ResponseWriter, r *http.Request) {
-	resp, err := http.Get(localServerURL)
+	req, err := http.NewRequest("GET", localServerURL, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+	req.Host = r.Host // pass through the host so we can check for the DNS rebinding attack
+
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusGatewayTimeout)
 		return
@@ -109,6 +116,14 @@ func credsHandler(creds *credentials.Credentials) http.HandlerFunc {
 			return
 		}
 
+		// Check that the request is to 169.254.169.254
+		// Without this it's possible for an attacker to mount a DNS rebinding attack
+		// See https://github.com/99designs/aws-vault/issues/578
+		if r.Host != metadataIP {
+			http.Error(w, fmt.Sprintf("Access denied for host '%s'", r.Host), http.StatusUnauthorized)
+			return
+		}
+
 		log.Printf("RemoteAddr = %v", r.RemoteAddr)
 		log.Printf("Credentials.IsExpired() = %#v", creds.IsExpired())