Further refine URI validation and add more tests

Author: javorszky

internal/configs/configmaps_test.go

@@ -1626,7 +1626,7 @@ func TestOpenTelemetryConfigurationInvalid(t *testing.T) {
 		{
 			configMap: &v1.ConfigMap{
 				Data: map[string]string{
-					"otel-exporter-endpoint": "something?invalid*30here",
+					"otel-exporter-endpoint": "something%invalid*30here",
 				},
 			},
 			expectedLoadModule:          false,
@@ -1644,7 +1644,7 @@ func TestOpenTelemetryConfigurationInvalid(t *testing.T) {
 				},
 			},
 			expectedLoadModule:          false,
-			expectedExporterEndpoint:    "localhost:0",
+			expectedExporterEndpoint:    "",
 			expectedExporterHeaderName:  "",
 			expectedExporterHeaderValue: "",
 			expectedServiceName:         "",

internal/validation/validation.go

@@ -3,6 +3,7 @@ package validation
 import (
 	"errors"
 	"fmt"
+	"net/netip"
 	"net/url"
 	"regexp"
 	"strconv"
@@ -138,6 +139,17 @@ func ValidateURI(uri string, options ...URIValidationOption) error {
 		return errors.New("user is not allowed")
 	}
 
+	// Check whether we're dealing with an IPV6 address.
+	checkIPv6 := parsed.Host
+	if strings.Contains(checkIPv6, "[") {
+		checkIPv6 = parsed.Hostname()
+	}
+
+	if ip, err := netip.ParseAddr(checkIPv6); err == nil && !ip.Is4() {
+		return fmt.Errorf("ipv6 addresses are not allowed")
+	}
+
+	// Check whether the ports posted are valid.
 	if parsed.Port() != "" {
 		// Turn the string port into an integer and check if it's in the correct
 		// range. The net.url.Parse does not check whether the port is the allowed
@@ -154,5 +166,15 @@ func ValidateURI(uri string, options ...URIValidationOption) error {
 		}
 	}
 
+	// Check whether each part of the domain is not too long.
+	// This should really be octets
+	for _, part := range strings.Split(parsed.Hostname(), ".") {
+		// turn each part into a byte array to get a length of octets.
+		// max length of a subdomain is 63 octets per RFC 1035.
+		if len([]byte(part)) > 63 {
+			return fmt.Errorf("invalid hostname part %s, value must be between 1 and 63 octets", part)
+		}
+	}
+
 	return nil
 }

internal/validation/validation_test.go

@@ -172,6 +172,30 @@ func TestValidateURI(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name:    "uri that is an ipv6 address with a port",
+			uri:     "https://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:17000",
+			options: []URIValidationOption{},
+			wantErr: true,
+		},
+		{
+			name:    "uri that is an ipv6 address without a port",
+			uri:     "https://2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+			options: []URIValidationOption{},
+			wantErr: true,
+		},
+		{
+			name:    "uri that is a short ipv6 without port without scheme",
+			uri:     "fe80::1",
+			options: []URIValidationOption{},
+			wantErr: true,
+		},
+		{
+			name:    "uri that is a short ipv6 with a port without scheme",
+			uri:     "[fe80::1]:80",
+			options: []URIValidationOption{},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {