Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Implement handling of escaped slash characters in URL path

Browse Source 
Fixes: CVE-2021-29492

Signed-off-by: Yan Avlasov <yavlasov@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 5333b928d8bcffa26ab19bf018369a835f697585
pull/624/head
data-plane-api(Azure Pipelines) 4 years ago
parent 65b579cdd0
commit 0adf62c805
2 changed files with 76 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 39
      envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
  2. 39
      envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto

39
envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
Unescape View File

@ -97,6 +97,36 @@ message HttpConnectionManager {
ALWAYS_FORWARD_ONLY = 4;
}
// Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path.
// This operation occurs before URL normalization and the merge slashes transformations if they were enabled.
enum PathWithEscapedSlashesAction {
// Default behavior specific to implementation (i.e. Envoy) of this configuration option.
// Envoy, by default, takes the KEEP_UNCHANGED action.
// NOTE: the implementation may change the default behavior at-will.
IMPLEMENTATION_SPECIFIC_DEFAULT = 0;
// Keep escaped slashes.
KEEP_UNCHANGED = 1;
// Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code.
// The "httpN.downstream_rq_failed_path_normalization" counter is incremented for each rejected request.
REJECT_REQUEST = 2;
// Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present.
// Redirect occurs after path normalization and merge slashes transformations if they were configured.
// NOTE: gRPC requests will be rejected with the INTERNAL (13) error code.
// This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to
// traverse all parties: downstream client, intermediate proxies, Envoy and upstream server.
// The "httpN.downstream_rq_redirected_with_normalized_path" counter is incremented for each
// redirected request.
UNESCAPE_AND_REDIRECT = 3;
// Unescape %2F and %5C sequences.
// Note: this option should not be enabled if intermediaries perform path based access control as
// it may lead to path confusion vulnerabilities.
UNESCAPE_AND_FORWARD = 4;
}
// [#next-free-field: 10]
message Tracing {
option (udpa.annotations.versioning).previous_message_type =
@ -271,7 +301,7 @@ message HttpConnectionManager {
type.http.v3.PathTransformation http_filter_transformation = 2;
}
reserved 27, 11, 45;
reserved 27, 11;
reserved "idle_timeout";
@ -561,6 +591,13 @@ message HttpConnectionManager {
// `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
bool merge_slashes = 33;
// Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c).
// The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action>`
// runtime variable.
// The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>` runtime
// variable can be used to apply the action to a portion of all requests.
PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45;
// The configuration of the request ID extension. This includes operations such as
// generation, validation, and associated tracing operations. If empty, the
// :ref:`UuidRequestIdConfig <envoy_v3_api_msg_extensions.request_id.uuid.v3.UuidRequestIdConfig>`

39
envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
Unescape View File

@ -96,6 +96,36 @@ message HttpConnectionManager {
ALWAYS_FORWARD_ONLY = 4;
}
// Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path.
// This operation occurs before URL normalization and the merge slashes transformations if they were enabled.
enum PathWithEscapedSlashesAction {
// Default behavior specific to implementation (i.e. Envoy) of this configuration option.
// Envoy, by default, takes the KEEP_UNCHANGED action.
// NOTE: the implementation may change the default behavior at-will.
IMPLEMENTATION_SPECIFIC_DEFAULT = 0;
// Keep escaped slashes.
KEEP_UNCHANGED = 1;
// Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code.
// The "httpN.downstream_rq_failed_path_normalization" counter is incremented for each rejected request.
REJECT_REQUEST = 2;
// Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present.
// Redirect occurs after path normalization and merge slashes transformations if they were configured.
// NOTE: gRPC requests will be rejected with the INTERNAL (13) error code.
// This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to
// traverse all parties: downstream client, intermediate proxies, Envoy and upstream server.
// The "httpN.downstream_rq_redirected_with_normalized_path" counter is incremented for each
// redirected request.
UNESCAPE_AND_REDIRECT = 3;
// Unescape %2F and %5C sequences.
// Note: this option should not be enabled if intermediaries perform path based access control as
// it may lead to path confusion vulnerabilities.
UNESCAPE_AND_FORWARD = 4;
}
// [#next-free-field: 10]
message Tracing {
option (udpa.annotations.versioning).previous_message_type =
@ -274,7 +304,7 @@ message HttpConnectionManager {
type.http.v3.PathTransformation http_filter_transformation = 2;
}
reserved 27, 11, 45;
reserved 27, 11;
reserved "idle_timeout";
@ -564,6 +594,13 @@ message HttpConnectionManager {
// `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
bool merge_slashes = 33;
// Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c).
// The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action>`
// runtime variable.
// The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>` runtime
// variable can be used to apply the action to a portion of all requests.
PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45;
// The configuration of the request ID extension. This includes operations such as
// generation, validation, and associated tracing operations. If empty, the
// :ref:`UuidRequestIdConfig <envoy_v3_api_msg_extensions.request_id.uuid.v3.UuidRequestIdConfig>`

Write Preview
Loading…
Cancel
Save