Add redirect guards

The driver will currently follow any redirects from the server.
This can cause problems. For example when running on AWS there is a service running
on a link-local address which provides IAM credentials (IMDS). If the server redirects
to this address, the driver will return an error message with the IAM credentials.

Author: jkoskela

client/trino-client/src/main/java/io/trino/client/SafeRedirector.java

@@ -0,0 +1,89 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.client;
+
+import okhttp3.Interceptor;
+import okhttp3.Response;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class SafeRedirector
+        implements Interceptor
+{
+    private static final Logger log = Logger.getLogger(SafeRedirector.class.getName());
+
+    public SafeRedirector() {}
+
+    static boolean deny(InetAddress addr)
+    {
+        return addr.isAnyLocalAddress() ||
+               addr.isLoopbackAddress() ||
+               addr.isLinkLocalAddress() ||
+               addr.isSiteLocalAddress();
+    }
+
+    @Override
+    public Response intercept(Chain chain)
+            throws IOException
+    {
+        Response response = chain.proceed(chain.request());
+
+        if (response.isRedirect()) {
+            String location = response.header("Location");
+            if (location != null) {
+                validateRedirect(location);
+            }
+        }
+        return response;
+    }
+
+    void validateRedirect(String location)
+    {
+        URI redirectUri;
+        try {
+            redirectUri = new URI(location);
+        }
+        catch (URISyntaxException e) {
+            log.log(Level.SEVERE, "Failed to parse redirect location " + location, e);
+            // This should fail later, let it fail in the normal location.
+            return;
+        }
+
+        String host = redirectUri.getHost();
+        if (host == null) {
+            log.warning("Redirect location " + location + " has no host");
+            return;
+        }
+
+        try {
+            InetAddress[] addresses = InetAddress.getAllByName(host);
+            for (InetAddress address : addresses) {
+                if (deny(address)) {
+                    log.warning("Blocked redirect to " + location + " (resolved to " + address + ")");
+                    throw new ClientException("Redirect to location is not allowed: " + location);
+                }
+            }
+        }
+        catch (UnknownHostException e) {
+            log.log(Level.SEVERE, "Failed to resolve redirect host " + host, e);
+            // This should fail later, let it fail in the normal location.
+        }
+    }
+}

client/trino-client/src/main/java/io/trino/client/uri/ConnectionProperties.java

@@ -116,6 +116,7 @@ enum SslVerificationMode
     public static final ConnectionProperty<String, Map<String, String>> RESOURCE_ESTIMATES = new ResourceEstimates();
     public static final ConnectionProperty<String, List<String>> SQL_PATH = new SqlPath();
     public static final ConnectionProperty<String, Boolean> VALIDATE_CONNECTION = new ValidateConnection();
+    public static final ConnectionProperty<String, Boolean> USE_SAFE_REDIRECT = new UseSafeRedirect();
 
     private static final Set<ConnectionProperty<?, ?>> ALL_PROPERTIES = ImmutableSet.<ConnectionProperty<?, ?>>builder()
             // Keep sorted
@@ -173,6 +174,7 @@ enum SslVerificationMode
             .add(TIMEZONE)
             .add(TRACE_TOKEN)
             .add(USER)
+            .add(USE_SAFE_REDIRECT)
             .add(VALIDATE_CONNECTION)
             .build();
 
@@ -958,6 +960,15 @@ public AssumeNullCatalogMeansCurrentCatalog()
         }
     }
 
+    private static class UseSafeRedirect
+            extends AbstractConnectionProperty<String, Boolean>
+    {
+        public UseSafeRedirect()
+        {
+            super(PropertyName.USE_SAFE_REDIRECT, Optional.of(false), NOT_REQUIRED, ALLOWED, BOOLEAN_CONVERTER);
+        }
+    }
+
     private static class MapPropertyParser
     {
         private static final CharMatcher PRINTABLE_ASCII = CharMatcher.inRange((char) 0x21, (char) 0x7E);

client/trino-client/src/main/java/io/trino/client/uri/HttpClientFactory.java

@@ -15,6 +15,7 @@
 
 import io.trino.client.ClientException;
 import io.trino.client.DnsResolver;
+import io.trino.client.SafeRedirector;
 import io.trino.client.auth.external.CompositeRedirectHandler;
 import io.trino.client.auth.external.ExternalAuthenticator;
 import io.trino.client.auth.external.HttpTokenPoller;
@@ -109,6 +110,9 @@ public static OkHttpClient.Builder toHttpClientBuilder(TrinoUri uri, String user
             ExternalAuthenticator authenticator = new ExternalAuthenticator(
                     redirectHandler, poller, knownTokenCache.create(), timeout);
 
+            if (uri.useSafeRedirect()) {
+                builder.addNetworkInterceptor(new SafeRedirector());
+            }
             builder.authenticator(authenticator);
             builder.addNetworkInterceptor(authenticator);
         }

client/trino-client/src/main/java/io/trino/client/uri/PropertyName.java

@@ -76,6 +76,7 @@ public enum PropertyName
     TIMEZONE("timezone"),
     TRACE_TOKEN("traceToken"),
     USER("user"),
+    USE_SAFE_REDIRECT("useSafeRedirect"),
     VALIDATE_CONNECTION("validateConnection");
 
     private final String key;

client/trino-client/src/main/java/io/trino/client/uri/TrinoUri.java

@@ -98,6 +98,7 @@
 import static io.trino.client.uri.ConnectionProperties.TIMEZONE;
 import static io.trino.client.uri.ConnectionProperties.TRACE_TOKEN;
 import static io.trino.client.uri.ConnectionProperties.USER;
+import static io.trino.client.uri.ConnectionProperties.USE_SAFE_REDIRECT;
 import static io.trino.client.uri.ConnectionProperties.VALIDATE_CONNECTION;
 import static io.trino.client.uri.LoggingLevel.NONE;
 import static java.lang.String.CASE_INSENSITIVE_ORDER;
@@ -423,6 +424,11 @@ public boolean isCompressionDisabled()
         return resolveWithDefault(DISABLE_COMPRESSION, false);
     }
 
+    public boolean useSafeRedirect()
+    {
+        return resolveWithDefault(USE_SAFE_REDIRECT, false);
+    }
+
     public Optional<String> getEncoding()
     {
         Optional<String> encodings = resolveOptional(ENCODING);
@@ -1058,6 +1064,11 @@ public Builder setValidateConnection(boolean value)
             return setProperty(VALIDATE_CONNECTION, value);
         }
 
+        public Builder setUseSafeRedirect(boolean value)
+        {
+            return setProperty(USE_SAFE_REDIRECT, value);
+        }
+
         <V, T> Builder setProperty(ConnectionProperty<V, T> connectionProperty, T value)
         {
             properties.put(connectionProperty.getKey(), connectionProperty.encodeValue(value));

client/trino-client/src/test/java/io/trino/client/TestSafeRedirector.java

@@ -0,0 +1,154 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.client;
+
+import okhttp3.Interceptor;
+import okhttp3.Protocol;
+import okhttp3.Request;
+import okhttp3.Response;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+public class TestSafeRedirector
+{
+    private static final String BASE_URL = "https://example.com";
+
+    @Test
+    public void testRedirectValidation()
+    {
+        SafeRedirector redirector = new SafeRedirector();
+
+        // Test valid external redirects
+        assertThatCode(() ->
+            redirector.intercept(createChainWithRedirect("https://www.example.com")))
+                .doesNotThrowAnyException();
+        assertThatCode(() ->
+            redirector.intercept(createChainWithRedirect("https://api.github.com")))
+                .doesNotThrowAnyException();
+
+        // Test invalid URI
+        assertThatCode(() ->
+            redirector.intercept(createChainWithRedirect("not a valid uri")))
+                .doesNotThrowAnyException();
+        // Test unresolvable host
+        assertThatCode(() ->
+            redirector.intercept(createChainWithRedirect("https://nonexistent.example.invalid")))
+                .doesNotThrowAnyException();
+
+        // Test denied uri's
+        assertThatThrownBy(() ->
+            redirector.intercept(createChainWithRedirect("https://127.0.0.1")))
+                .isInstanceOf(ClientException.class);
+        assertThatThrownBy(() ->
+            redirector.intercept(createChainWithRedirect("https://localhost")))
+                .isInstanceOf(ClientException.class);
+        assertThatThrownBy(() ->
+            redirector.intercept(createChainWithRedirect("http://192.168.1.1")))
+                .isInstanceOf(ClientException.class);
+        assertThatThrownBy(() ->
+            redirector.intercept(createChainWithRedirect("https://0.0.0.0")))
+                .isInstanceOf(ClientException.class);
+        assertThatThrownBy(() ->
+            redirector.intercept(createChainWithRedirect("https://172.16.0.1")))
+                .isInstanceOf(ClientException.class);
+        assertThatThrownBy(() ->
+            redirector.intercept(createChainWithRedirect("https://169.254.169.254")))
+                .isInstanceOf(ClientException.class);
+    }
+
+    private static Interceptor.Chain createChainWithRedirect(String location)
+    {
+        return new TestInterceptorChain(new Response.Builder()
+                .request(new Request.Builder().url(BASE_URL).build())
+                .protocol(Protocol.HTTP_1_1)
+                .code(302)
+                .message("Found")
+                .header("Location", location)
+                .build());
+    }
+
+    private static class TestInterceptorChain
+            implements Interceptor.Chain
+    {
+        private final Response response;
+
+        TestInterceptorChain(Response response)
+        {
+            this.response = response;
+        }
+
+        @Override
+        public Request request()
+        {
+            return response.request();
+        }
+
+        @Override
+        public Response proceed(Request request)
+        {
+            return response;
+        }
+
+        // Implement other Chain methods with default values
+        @Override
+        public int connectTimeoutMillis()
+        {
+            return 0;
+        }
+
+        @Override
+        public Interceptor.Chain withConnectTimeout(int timeout, java.util.concurrent.TimeUnit unit)
+        {
+            return this;
+        }
+
+        @Override
+        public int readTimeoutMillis()
+        {
+            return 0;
+        }
+
+        @Override
+        public Interceptor.Chain withReadTimeout(int timeout, java.util.concurrent.TimeUnit unit)
+        {
+            return this;
+        }
+
+        @Override
+        public int writeTimeoutMillis()
+        {
+            return 0;
+        }
+
+        @Override
+        public Interceptor.Chain withWriteTimeout(int timeout, java.util.concurrent.TimeUnit unit)
+        {
+            return this;
+        }
+
+        @Override
+        public okhttp3.Connection connection()
+        {
+            return null;
+        }
+
+        @Override
+        public okhttp3.Call call()
+        {
+            return null;
+        }
+    }
+}