grpc_json_transcoder: Add option for strict request validation (#14715)

When a downstream request's headers do not follow the transcoding specification: Current behavior: The filter blindly passes the request through to the upstream. This works well when the request is already a gRPC request, but is not ideal if the :path is malformed. New behavior: For cases where the :path is malformed, the filter will reject the request instead of passing it through. This includes paths that are not registered for transcoding and unknown query parameter variable bindings. gRPC requests are still passed through. Risk Level: Low. Backwards compatible, new behavior is guarded by option. I cannot think of a case where a client would prefer the old behavior, but let's be safe with breaking changes. Testing: Integration tests Platform Specific Features: No Ref: GoogleCloudPlatform/esp-v2#459 Signed-off-by: Teju Nareddy <nareddyt@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 6ce641fff03ea137e201cfb6e5f52e513551f2df
4 years ago · 37f2ec639a
parent a656f7286e
commit 37f2ec639a
1 changed files with 23 additions and 1 deletions
--- a/envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto
+++ b/envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto
@ -15,7 +15,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // gRPC-JSON transcoder :ref:`configuration overview <config_http_filters_grpc_json_transcoder>`.
 // [#extension: envoy.filters.http.grpc_json_transcoder]

-// [#next-free-field: 11]
+// [#next-free-field: 12]
 // GrpcJsonTranscoder filter configuration.
 // The filter itself can be used per route / per virtual host or on the general level. The most
 // specific one is being used for a given route. If the list of services is empty - filter
@ -192,4 +192,26 @@ message GrpcJsonTranscoder {
  // For a path with `/foo/first/bar/prefix/second/third/fourth`, `x=first`, `y=prefix/second`, `z=third/fourth`.
  // If this setting is not specified, the value defaults to :ref:`ALL_CHARACTERS_EXCEPT_RESERVED<envoy_api_enum_value_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.UrlUnescapeSpec.ALL_CHARACTERS_EXCEPT_RESERVED>`.
  UrlUnescapeSpec url_unescape_spec = 10 [(validate.rules).enum = {defined_only: true}];
+
+  // Whether to reject requests that cannot be transcoded.
+  //
+  // By default, the transcoder will silently pass through HTTP requests that all malformed.
+  // This includes requests with unknown query parameters, unregister paths, etc.
+  //
+  // Set this flag to enable strict HTTP request validation, resulting in the transcoder rejecting
+  // these requests with ``HTTP 400 Bad Request``.
+  // gRPC requests will still silently pass through without transcoding.
+  //
+  // The benefit of this flag is a proper error message to the downstream.
+  // Without this flag, the gRPC upstream will reset the TCP connection when a
+  // malformed HTTP request is silently passed through without transcoding. The downstream will
+  // receive a ``HTTP 503 Service Unavailable`` due to the upstream connection reset.
+  // This incorrect error message may conflict with other Envoy components, such as retry policies.
+  //
+  // Do not use this flag if the upstream supports both HTTP and gRPC.
+  // Only use this flag if the upstream is gRPC and all its services have been
+  // specified in the descriptor file in the filter config.
+  //
+  // Defaults to false for backwards compatibility.
+  bool strict_http_request_validation = 11;
 }