Update eic_curl_authorized_keys for release 1.1.13

* Verify that domain returned from IMDS is an AWS domain
aws · Nov 18, 2020 · c15b99f · c15b99f
1 parent 47de505
commit c15b99f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1-12
+1.1-13
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+ec2-instance-connect (1.1.13) xenial; urgency=high
+
+  * Verify that domain returned from IMDS is an AWS domain
+
+ -- Jacob Meisler <[email protected]>  Thu, 22 Oct 2020 00:00:00 -0400
+
 ec2-instance-connect (1.1.12) xenial; urgency=high
 
   * Adding support for Instance Metadata Service Version 2

diff --git a/rpmsrc/SPECS/generic.spec b/rpmsrc/SPECS/generic.spec
@@ -155,6 +155,8 @@ fi
 
 
 %changelog
+* Thu Oct 22 2020 Jacob Meisler <[email protected]> 1.1-13
+- Verify that domain returned from IMDS is an AWS domain
 * Tue Nov 19 2019 Daniel Anderson <[email protected]> 1.1-12
 - Adding support for Instance Metadata Service Version 2
 - Modifying cURL invocation to avoid need for eval

diff --git a/src/bin/eic_curl_authorized_keys b/src/bin/eic_curl_authorized_keys
@@ -111,6 +111,17 @@ if [ "${domain_exit}" -ne 0 ]
 then
     exit "${domain_exit}"
 fi
+is_domain_valid=1
+for valid_domain in amazonaws.com amazonaws.com.cn c2s.ic.gov sc2s.sgov.gov; do
+    if [ "$domain" = "$valid_domain" ]; then
+        is_domain_valid=0
+        break
+    fi
+done
+if [ $is_domain_valid -eq 1 ]; then
+    /usr/bin/logger -i -p authpriv.info "EC2 Instance Connect found an invalid domain and will do nothing."
+    exit 255
+fi
 
 expected_signer=$(/usr/bin/printf 'managed-ssh-signer.%s.%s' "${region}" "${domain}")