Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

[api] fuzz: add validations matching ASSERT(valid) to config fields (#10773)

Browse Source 
Fuzzing catches more fields tripping on ASSERT(valid())

* JWT Authn filter has HTTP header name/value strings: forward_payload_header, name, value
* Route components: request_headers_to_remove
* health_check.proto: host, path, authority, and request_headers_to_remove

Test-only:

* utility fuzz test was running findQueryStringStart on a HeaderString. Fuzz inputs were not validated.

Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21323
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21623

Signed-off-by: Asra Ali <asraa@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 167df8c4554073d5115316ac36dd97088c3e6d93
master-ci-test
data-plane-api(CircleCI) 5 years ago
parent dcf7f353d5
commit 1b4624fe0f
5 changed files with 36 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 13
      envoy/config/core/v3/health_check.proto
  2. 13
      envoy/config/core/v4alpha/health_check.proto
  3. 8
      envoy/config/route/v3/route_components.proto
  4. 8
      envoy/config/route/v4alpha/route_components.proto
  5. 9
      envoy/extensions/filters/http/jwt_authn/v3/config.proto

13
envoy/config/core/v3/health_check.proto
Unescape View File

@ -87,11 +87,13 @@ message HealthCheck {
// left empty (default value), the name of the cluster this health check is associated // left empty (default value), the name of the cluster this health check is associated
// with will be used. The host header can be customized for a specific endpoint by setting the // with will be used. The host header can be customized for a specific endpoint by setting the
// :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field. // :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string host = 1; string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
// Specifies the HTTP path that will be requested during health checking. For example // Specifies the HTTP path that will be requested during health checking. For example
// */healthcheck*. // */healthcheck*.
string path = 2 [(validate.rules).string = {min_bytes: 1}]; string path = 2 [
(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
];
// [#not-implemented-hide:] HTTP specific payload. // [#not-implemented-hide:] HTTP specific payload.
Payload send = 3; Payload send = 3;
@ -108,7 +110,9 @@ message HealthCheck {
// Specifies a list of HTTP headers that should be removed from each request that is sent to the // Specifies a list of HTTP headers that should be removed from each request that is sent to the
// health checked cluster. // health checked cluster.
repeated string request_headers_to_remove = 8; repeated string request_headers_to_remove = 8 [(validate.rules).repeated = {
items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a list of HTTP response statuses considered healthy. If provided, replaces default // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default
// 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open
@ -169,7 +173,8 @@ message HealthCheck {
// left empty (default value), the name of the cluster this health check is associated // left empty (default value), the name of the cluster this health check is associated
// with will be used. The authority header can be customized for a specific endpoint by setting // with will be used. The authority header can be customized for a specific endpoint by setting
// the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field. // the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string authority = 2; string authority = 2
[(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
} }
// Custom health check. // Custom health check.

13
envoy/config/core/v4alpha/health_check.proto
Unescape View File

@ -87,11 +87,13 @@ message HealthCheck {
// left empty (default value), the name of the cluster this health check is associated // left empty (default value), the name of the cluster this health check is associated
// with will be used. The host header can be customized for a specific endpoint by setting the // with will be used. The host header can be customized for a specific endpoint by setting the
// :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field. // :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string host = 1; string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
// Specifies the HTTP path that will be requested during health checking. For example // Specifies the HTTP path that will be requested during health checking. For example
// */healthcheck*. // */healthcheck*.
string path = 2 [(validate.rules).string = {min_bytes: 1}]; string path = 2 [
(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
];
// [#not-implemented-hide:] HTTP specific payload. // [#not-implemented-hide:] HTTP specific payload.
Payload send = 3; Payload send = 3;
@ -108,7 +110,9 @@ message HealthCheck {
// Specifies a list of HTTP headers that should be removed from each request that is sent to the // Specifies a list of HTTP headers that should be removed from each request that is sent to the
// health checked cluster. // health checked cluster.
repeated string request_headers_to_remove = 8; repeated string request_headers_to_remove = 8 [(validate.rules).repeated = {
items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a list of HTTP response statuses considered healthy. If provided, replaces default // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default
// 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open
@ -169,7 +173,8 @@ message HealthCheck {
// left empty (default value), the name of the cluster this health check is associated // left empty (default value), the name of the cluster this health check is associated
// with will be used. The authority header can be customized for a specific endpoint by setting // with will be used. The authority header can be customized for a specific endpoint by setting
// the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field. // the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string authority = 2; string authority = 2
[(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
} }
// Custom health check. // Custom health check.

8
envoy/config/route/v3/route_components.proto
Unescape View File

@ -108,7 +108,9 @@ message VirtualHost {
// Specifies a list of HTTP headers that should be removed from each request // Specifies a list of HTTP headers that should be removed from each request
// handled by this virtual host. // handled by this virtual host.
repeated string request_headers_to_remove = 13; repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a list of HTTP headers that should be added to each response // Specifies a list of HTTP headers that should be added to each response
// handled by this virtual host. Headers specified at this level are applied // handled by this virtual host. Headers specified at this level are applied
@ -252,7 +254,9 @@ message Route {
// Specifies a list of HTTP headers that should be removed from each request // Specifies a list of HTTP headers that should be removed from each request
// matching this route. // matching this route.
repeated string request_headers_to_remove = 12; repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a set of headers that will be added to responses to requests // Specifies a set of headers that will be added to responses to requests
// matching this route. Headers specified at this level are applied before // matching this route. Headers specified at this level are applied before

8
envoy/config/route/v4alpha/route_components.proto
Unescape View File

@ -108,7 +108,9 @@ message VirtualHost {
// Specifies a list of HTTP headers that should be removed from each request // Specifies a list of HTTP headers that should be removed from each request
// handled by this virtual host. // handled by this virtual host.
repeated string request_headers_to_remove = 13; repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a list of HTTP headers that should be added to each response // Specifies a list of HTTP headers that should be added to each response
// handled by this virtual host. Headers specified at this level are applied // handled by this virtual host. Headers specified at this level are applied
@ -252,7 +254,9 @@ message Route {
// Specifies a list of HTTP headers that should be removed from each request // Specifies a list of HTTP headers that should be removed from each request
// matching this route. // matching this route.
repeated string request_headers_to_remove = 12; repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a set of headers that will be added to responses to requests // Specifies a set of headers that will be added to responses to requests
// matching this route. Headers specified at this level are applied before // matching this route. Headers specified at this level are applied before

9
envoy/extensions/filters/http/jwt_authn/v3/config.proto
Unescape View File

@ -171,7 +171,8 @@ message JwtProvider {
// base64url_encoded(jwt_payload_in_JSON) // base64url_encoded(jwt_payload_in_JSON)
// //
// If it is not specified, the payload will not be forwarded. // If it is not specified, the payload will not be forwarded.
string forward_payload_header = 8; string forward_payload_header = 8
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
// in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
@ -218,12 +219,14 @@ message JwtHeader {
"envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader"; "envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader";
// The HTTP header name. // The HTTP header name.
string name = 1 [(validate.rules).string = {min_bytes: 1}]; string name = 1
[(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
// The value prefix. The value format is "value_prefix<token>" // The value prefix. The value format is "value_prefix<token>"
// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the // For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
// end. // end.
string value_prefix = 2; string value_prefix = 2
[(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
} }
// Specify a required provider with audiences. // Specify a required provider with audiences.

Write Preview
Loading…
Cancel
Save