feat: add domain name validation (#925)

Author: jackwotherspoon

instance/conn_name.go

@@ -27,6 +27,8 @@ var (
 	// Additionally, we have to support legacy "domain-scoped" projects
 	// (e.g. "google.com:PROJECT")
 	connNameRegex = regexp.MustCompile("([^:]+(:[^:]+)?):([^:]+):([^:]+)")
+	// The domain name pattern in accordance with RFC 1035, RFC 1123 and RFC 2181.
+	domainNameRegex = regexp.MustCompile(`^(?:[_a-z0-9](?:[_a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z](?:[a-z0-9-]{0,61}[a-z0-9])?)?$`)
 )
 
 // ConnName represents the "instance connection name", in the format
@@ -65,11 +67,21 @@ func (c *ConnName) DomainName() string {
 	return c.domainName
 }
 
-// HasDomainName returns the Cloud SQL domain name
+// HasDomainName returns whether the Cloud SQL instance has a domain name
 func (c *ConnName) HasDomainName() bool {
 	return c.domainName != ""
 }
 
+// IsValidDomain validates that a string is a well-formed domain name
+func IsValidDomain(dn string) bool {
+	b := []byte(dn)
+	m := domainNameRegex.FindSubmatch(b)
+	if m == nil {
+		return false
+	}
+	return true
+}
+
 // ParseConnName initializes a new ConnName struct.
 func ParseConnName(cn string) (ConnName, error) {
 	return ParseConnNameWithDomainName(cn, "")

instance/conn_name_test.go

@@ -45,3 +45,42 @@ func TestParseConnName(t *testing.T) {
 		}
 	}
 }
+
+func TestIsValidDomain(t *testing.T) {
+	tests := []struct {
+		domain string
+		want   bool
+	}{
+		{
+			domain: "prod-db.mycompany.example.com",
+			want:   true,
+		},
+		{
+			domain: "example.com.", // trailing dot
+			want:   true,
+		},
+		{
+			domain: "-example.com", // leading hyphen
+			want:   false,
+		},
+		{
+			domain: "example", // missing TLD
+			want:   false,
+		},
+		{
+			domain: "127.0.0.1", // IPv4 address
+			want:   false,
+		},
+		{
+			domain: "0:0:0:0:0:0:0:1", // IPv6 address
+			want:   false,
+		},
+	}
+
+	for _, tc := range tests {
+		v := IsValidDomain(tc.domain)
+		if v != tc.want {
+			t.Errorf("IsValidDomainName(%s) failed: want %v, got %v", tc.domain, tc.want, v)
+		}
+	}
+}

internal/cloudsql/resolver.go

@@ -20,6 +20,7 @@ import (
 	"net"
 	"sort"
 
+	"cloud.google.com/go/cloudsqlconn/errtype"
 	"cloud.google.com/go/cloudsqlconn/instance"
 )
 
@@ -63,10 +64,21 @@ type DNSInstanceConnectionNameResolver struct {
 func (r *DNSInstanceConnectionNameResolver) Resolve(ctx context.Context, icn string) (instanceName instance.ConnName, err error) {
 	cn, err := instance.ParseConnName(icn)
 	if err != nil {
-		// The connection name was not project:region:instance
-		// Attempt to query a TXT record and see if it works instead.
-		cn, err = r.queryDNS(ctx, icn)
-		if err != nil {
+		// The connection name was not in project:region:instance format.
+		// Check that connection name is a valid DNS domain name.
+		if instance.IsValidDomain(icn) {
+			// Attempt to query a TXT record and see if it works instead.
+			cn, err = r.queryDNS(ctx, icn)
+			if err != nil {
+				return instance.ConnName{}, err
+			}
+		} else {
+			// Connection name is not valid instance connection name or domain name
+			err := errtype.NewConfigError(
+				"invalid connection name, expected PROJECT:REGION:INSTANCE "+
+					"format or valid DNS domain name",
+				icn,
+			)
 			return instance.ConnName{}, err
 		}
 	}