aws: fix leaks on new EKS Pod identities

edsiper · edsiper · commit 05b7a16fee7c · 2025-03-21T15:14:54.000-06:00
Signed-off-by: Eduardo Silva &lt;eduardo@calyptia.com&gt;
diff --git a/src/aws/flb_aws_credentials_http.c b/src/aws/flb_aws_credentials_http.c
@@ -53,9 +53,9 @@ static int http_credentials_request(struct flb_aws_provider_http
                                     *implementation);
 
 
-/* 
-If the resolved URI’s scheme is HTTPS, its hostname may be used in the request. 
-Otherwise, implementations MUST fail to resolve when the URI hostname 
+/*
+If the resolved URI’s scheme is HTTPS, its hostname may be used in the request.
+Otherwise, implementations MUST fail to resolve when the URI hostname
 does not satisfy any of the following conditions:
 
 is within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128)
@@ -67,7 +67,7 @@ static int validate_http_credential_uri(flb_sds_t protocol, flb_sds_t host)
         return 0;
     } else if (strncmp(host, "127.", 4) == 0 ||
                strncmp(host, ECS_CREDENTIALS_HOST, ECS_CREDENTIALS_HOST_LEN) == 0 ||
-               strncmp(host, EKS_CREDENTIALS_HOST, EKS_CREDENTIALS_HOST_LEN) == 0 || 
+               strncmp(host, EKS_CREDENTIALS_HOST, EKS_CREDENTIALS_HOST_LEN) == 0 ||
                strstr(host, "::1") != NULL ||
                strstr(host, "fd00:ec2::23") != NULL ||
                strstr(host, "fe80:") != NULL) {
@@ -263,7 +263,6 @@ struct flb_aws_provider *flb_endpoint_provider_create(struct flb_config *config,
               host, path);
 
     provider = flb_calloc(1, sizeof(struct flb_aws_provider));
-
     if (!provider) {
         flb_errno();
         return NULL;
@@ -322,9 +321,7 @@ struct flb_aws_provider *flb_endpoint_provider_create(struct flb_config *config,
  * with the ECS credentials endpoint.
  */
 struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
-                                                   struct
-                                                   flb_aws_client_generator
-                                                   *generator)
+                                                   struct flb_aws_client_generator *generator)
 {
     flb_sds_t path = NULL;
     flb_sds_t protocol = NULL;
@@ -351,24 +348,27 @@ struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
             flb_free(host);
             return NULL;
         }
-    } else if (full_uri && strlen(full_uri) > 0) {
+    }
+    else if (full_uri && strlen(full_uri) > 0) {
         ret = flb_utils_url_split_sds(full_uri, &protocol, &host, &port_sds, &path);
         if (ret < 0) {
             return NULL;
         }
+
         insecure = strncmp(protocol, "http", 4) == 0 ? FLB_TRUE : FLB_FALSE;
         ret = validate_http_credential_uri(protocol, host);
         if (ret < 0) {
             flb_error("[aws credentials] %s must be set to an https:// address or a link local IP address."
-                      " Found protocol=%s, host=%s, port=%s, path=%s", 
+                      " Found protocol=%s, host=%s, port=%s, path=%s",
                       AWS_CREDENTIALS_FULL_URI, protocol, host, port_sds, path);
             flb_sds_destroy(protocol);
             flb_sds_destroy(host);
             flb_sds_destroy(port_sds);
             flb_sds_destroy(path);
             return NULL;
         }
-    } else {
+    }
+    else {
         flb_debug("[aws_credentials] Not initializing ECS/EKS HTTP Provider because"
                   " %s and %s is not set", AWS_CREDENTIALS_PATH, AWS_CREDENTIALS_FULL_URI);
         return NULL;
@@ -378,7 +378,7 @@ struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
         port = atoi(port_sds);
         if (port == 0) {
             flb_error("[aws credentials] invalid port: %s must be set to an https:// address or a link local IP address."
-                      " Found protocol=%s, host=%s, port=%s, path=%s", 
+                      " Found protocol=%s, host=%s, port=%s, path=%s",
                       AWS_CREDENTIALS_FULL_URI, protocol, host, port_sds, path);
             flb_sds_destroy(protocol);
             flb_sds_destroy(host);
@@ -388,6 +388,9 @@ struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
         }
     }
 
+    flb_sds_destroy(port_sds);
+    flb_sds_destroy(protocol);
+
     return flb_endpoint_provider_create(config, host, path, port, insecure, generator);
 
 }
@@ -412,14 +415,30 @@ static int http_credentials_request(struct flb_aws_provider_http
     struct flb_aws_client *client = implementation->client;
     struct flb_http_client *c = NULL;
     int ret;
+    char *tmp;
     char *auth_token = NULL;
     size_t auth_token_size = 0;
     char *auth_token_path = NULL;
 
     auth_token_path = getenv(AUTH_TOKEN_FILE_ENV_VAR);
-    auth_token = getenv(AUTH_TOKEN_ENV_VAR);
+    tmp = getenv(AUTH_TOKEN_ENV_VAR);
+    if (tmp) {
+        auth_token = flb_malloc(strlen(tmp) + 1);
+        if (!auth_token) {
+            flb_errno();
+            return -1;
+        }
+        strcpy(auth_token, tmp);
+    }
+
     if (auth_token_path != NULL && strlen(auth_token_path) > 0) {
         flb_debug("[aws] reading authorization token from %s", auth_token_path);
+
+        if (auth_token) {
+            flb_free(auth_token);
+            auth_token = NULL;
+        }
+
         ret = flb_read_file(auth_token_path, &auth_token,
                             &auth_token_size);
         if (ret < 0) {
@@ -441,6 +460,11 @@ static int http_credentials_request(struct flb_aws_provider_http
                                            NULL, 0);
     }
 
+    if (auth_token) {
+        flb_free(auth_token);
+        auth_token = NULL;
+    }
+
     if (!c || c->resp.status != 200) {
         flb_debug("[aws_credentials] http credentials request failed");
         if (c) {
@@ -450,15 +474,22 @@ static int http_credentials_request(struct flb_aws_provider_http
             }
             flb_http_client_destroy(c);
         }
+        if (auth_token) {
+            flb_free(auth_token);
+        }
         return -1;
     }
 
+
     response = c->resp.payload;
     response_len = c->resp.payload_size;
 
     creds = flb_parse_http_credentials(response, response_len, &expiration);
     if (!creds) {
         flb_http_client_destroy(c);
+        if (auth_token) {
+            flb_free(auth_token);
+        }
         return -1;
     }
 
@@ -469,6 +500,7 @@ static int http_credentials_request(struct flb_aws_provider_http
     implementation->creds = creds;
     implementation->next_refresh = expiration - FLB_AWS_REFRESH_WINDOW;
     flb_http_client_destroy(c);
+
     return 0;
 }
 
diff --git a/src/aws/flb_aws_util.c b/src/aws/flb_aws_util.c
@@ -215,21 +215,21 @@ struct flb_http_client *flb_aws_client_request_basic_auth(
                                                struct flb_aws_client *aws_client,
                                                int method, const char *uri,
                                                const char *body, size_t body_len,
-                                               struct flb_aws_header
-                                               *dynamic_headers,
+                                               struct flb_aws_header *dynamic_headers,
                                                size_t dynamic_headers_len,
                                                char *header_name,
                                                char* auth_token)
 {
     struct flb_http_client *c = NULL;
     struct flb_aws_header *auth_header = NULL;
     struct flb_aws_header *headers = NULL;
+
     auth_header = flb_calloc(1, sizeof(struct flb_aws_header));
     if (!auth_header) {
         flb_errno();
         return NULL;
     }
-    
+
     auth_header->key = header_name;
     auth_header->key_len = strlen(header_name);
     auth_header->val = auth_token;
