Lowercase comparisons

metadata/metadata.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"net/http"
 	"regexp"
+	"strings"
 )
 
 var (
@@ -14,8 +15,8 @@ var (
 		"/",
 		"/0.1",
 		"/0.1/",
-		"/computeMetadata",
-		"/computeMetadata/",
+		"/computemetadata",
+		"/computemetadata/",
 	}
 	// Explanation of regexp below:
 	//   - Lead with '/', and follow with either "0.1/meta-data",
@@ -24,7 +25,7 @@ var (
 	//     contain alphanumerics, '_', or '-', and may include
 	//     '.' if it comes after '@';
 	//   - Finish with an optional '/'.
-	allowedPattern = regexp.MustCompile("^\\/(0\\.1\\/meta\\-data|computeMetadata\\/v1beta1|computeMetadata\\/v1)(\\/[0-9A-Za-z_\\-]+(@[0-9A-Za-z_\\-\\.]*)?)*\\/?$")
+	allowedPattern = regexp.MustCompile("^\\/(0\\.1\\/meta\\-data|computemetadata\\/v1beta1|computemetadata\\/v1)(\\/[0-9a-z_\\-]+(@[0-9a-z_\\-\\.]*)?)*\\/?$")
 	// Explanation of regexp below:
 	//   - Similar to above, lead with '/', and follow with either
 	//     "0.1/meta-data", "computeMetadata/v1beta1/instance", or
@@ -33,7 +34,7 @@ var (
 	//     "service-accounts/<valid-service-account-or-alias>/identity".
 	// In particular, note that '.' may only come after '@' in the valid
 	// service account or alias.
-	concealedPattern = regexp.MustCompile("^\\/(0\\.1\\/meta\\-data|computeMetadata\\/v1beta1\\/instance|computeMetadata\\/v1\\/instance)/(attributes/kube-env|service-accounts/[0-9A-Za-z_\\-]+(@[0-9A-Za-z_\\-\\.]*)?/identity)$")
+	concealedPattern = regexp.MustCompile("^\\/(0\\.1\\/meta\\-data|computemetadata\\/v1beta1\\/instance|computemetadata\\/v1\\/instance)/(attributes/kube-env|service-accounts/[0-9a-z_\\-]+(@[0-9a-z_\\-\\.]*)?/identity)$")
 )
 
 func Filter(req *http.Request) error {
@@ -48,20 +49,22 @@ func Filter(req *http.Request) error {
 		return errors.New("?recursive calls are not allowed by the metadata proxy.")
 	}
 
+	// Check against lowercase.
+	lowerPath := strings.ToLower(req.URL.Path)
 	// Allow known discovery endpoints.
 	for _, e := range discoveryEndpoints {
-		if req.URL.Path == e {
+		if lowerPath == e {
 			return nil
 		}
 	}
 	// Check to make sure there's nothing weird happening.
-	if !allowedPattern.MatchString(req.URL.Path) {
+	if !allowedPattern.MatchString(lowerPath) {
 		return errors.New("This metadata endpoint is not allowed by the metadata proxy.")
 	}
 	// Conceal kube-env and vm identity endpoints for known API versions.
 	// Don't block unknown API versions, since we don't know if they have
 	// the same paths.
-	if concealedPattern.MatchString(req.URL.Path) {
+	if concealedPattern.MatchString(lowerPath) {
 		return errors.New("This metadata endpoint is concealed.")
 	}
 	// Allow proxy for known API versions, defined by prefixes and known

metadata/metadata_test.go

@@ -42,6 +42,8 @@ func TestServeHTTP(t *testing.T) {
 		// Params that contain 'recursive' as substring.
 		{"/computeMetadata/v1/instance/?nonrecursive=true", nil},
 		{"/computeMetadata/v1/instance/?something=other&nonrecursive=true", nil},
+		// Different case.
+		{"/COMPUTEMETADATA/V1/", nil},
 
 		// Other API versions.
 		{"/0.2/", notAllowedErr},
@@ -61,6 +63,7 @@ func TestServeHTTP(t *testing.T) {
 		// Other.
 		{"/computeMetadata/v1/instance/attributes//kube-env", notAllowedErr},
 		{"/computeMetadata/v1/instance/attributes/../attributes/kube-env", notAllowedErr},
+		{"/COMPUTEMETADATA/V1/INSTANCE/ATTRIBUTES/KUBE-ENV", concealedErr},
 	}
 
 	for _, tc := range tests {