adds regex cert url check

Signed-off-by: Aaron Weisberg <[email protected]>
aweis89 · Feb 15, 2022 · ae7a6c0 · ae7a6c0
1 parent 455f4ab
commit ae7a6c0
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/eventsources/sources/awssns/start.go b/eventsources/sources/awssns/start.go
@@ -285,12 +285,26 @@ func (el *EventListener) StartListening(ctx context.Context, dispatch func([]byt
 	}, controller, dispatch)
 }
 
+const regexSigningCertURL = `/^https:\/\/sns\.[a-zA-Z0-9-]{3,}\.amazonaws\.com(\.cn)?\/SimpleNotificationService-[a-zA-Z0-9]{32}\.pem$/`
+
+func (m *httpNotification) verifySigningCertUrl() error {
+	regex := regexp.MustCompile(regexSigningCertURL)
+	if !regex.MatchString(m.SigningCertURL) {
+		return errors.Errorf("SigningCertURL `%s` does not match `%s`", m.SigningCertURL, regexSigningCertURL)
+	}
+	return nil
+}
+
 func (m *httpNotification) verify() error {
 	msgSig, err := base64.StdEncoding.DecodeString(m.Signature)
 	if err != nil {
 		return errors.Wrap(err, "failed to base64 decode signature")
 	}
 
+	if err := m.verifySigningCertUrl(); err != nil {
+		return errors.Wrap(err, "failed to verify SigningCertURL")
+	}
+
 	res, err := http.Get(m.SigningCertURL)
 	if err != nil {
 		return errors.Wrap(err, "failed to fetch signing cert")