From 449c95694606cb9706db41c9c5abbb4513885a6b Mon Sep 17 00:00:00 2001 From: "update-envoy[bot]" <135279899+update-envoy[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 02:11:14 +0000 Subject: [PATCH] Add explicit header mutation validation ext_authz (#33244) * Validate headers & percent-encode query parameters in ext_authz Signed-off-by: Antonio Leonti * move-- not copy-- header mutations in grpc client Signed-off-by: antoniovleonti * move validation to clients Signed-off-by: antoniovleonti * clean up diff Signed-off-by: antoniovleonti * oops, add query param percent encoding to grpc client Signed-off-by: antoniovleonti * clean up unnecessary diff and remove unused function declaration Signed-off-by: antoniovleonti * remove unnecessary diff from ext_authz_test Signed-off-by: antoniovleonti * final clean up Signed-off-by: antoniovleonti * split ext_authz_test change into own PR (#33709) Signed-off-by: antoniovleonti * fix asan error Signed-off-by: antoniovleonti * add note in changelog Signed-off-by: antoniovleonti * move http validation to own PR Signed-off-by: antoniovleonti * Drop client request on invalid mutations Signed-off-by: antoniovleonti * formatting & changelog Signed-off-by: antoniovleonti * remove debug logs Signed-off-by: antoniovleonti * remove done todo Signed-off-by: antoniovleonti * remove comment about precent encoding query params Signed-off-by: antoniovleonti * add Rejected to exhaustive status switch statement Signed-off-by: antoniovleonti * handle rejected case in the network ext_authz filter Signed-off-by: antoniovleonti * move validation to http filter Signed-off-by: antoniovleonti * fix incorrectly numbered proto field Signed-off-by: antoniovleonti * remove unused runtime feature flag Signed-off-by: antoniovleonti * remove unnecessary comma Signed-off-by: antoniovleonti * fix inconsistent HeaderVector constructor call fmt Signed-off-by: antoniovleonti * remove unnecessary diff Signed-off-by: antoniovleonti * remove unnecessary dependency Signed-off-by: antoniovleonti * remove unnecessary diff Signed-off-by: antoniovleonti * fix spelling Signed-off-by: antoniovleonti * Update api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto Co-authored-by: Greg Greenway Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> * Update api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto Co-authored-by: Greg Greenway Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> * config guard remove-header change & make fmting consistent Signed-off-by: antoniovleonti * remove using decls from ext_authz_test Signed-off-by: antoniovleonti * remove unnecessary diff Signed-off-by: antoniovleonti * add stat check to integration test Signed-off-by: antoniovleonti * remove using decl from grpc_impl_test Signed-off-by: antoniovleonti * formatting changes Signed-off-by: antoniovleonti * replace unused using decl with a needed one Signed-off-by: antoniovleonti * remove unused counter Signed-off-by: antoniovleonti --------- Signed-off-by: Antonio Leonti Signed-off-by: antoniovleonti Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> Co-authored-by: Greg Greenway Mirrored from https://github.com/envoyproxy/envoy @ 1c6eba59dbcced94c9974dc69d1bfcfa9ee3107d --- .../filters/http/ext_authz/v3/ext_authz.proto | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 60cd96fd..ad27fbba 100644 --- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -28,7 +28,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // External Authorization :ref:`configuration overview `. // [#extension: envoy.filters.http.ext_authz] -// [#next-free-field: 24] +// [#next-free-field: 25] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.ExtAuthz"; @@ -92,6 +92,21 @@ message ExtAuthz { // or cannot be reached. The default status is HTTP 403 Forbidden. type.v3.HttpStatus status_on_error = 7; + // When this is set to true, the filter will check the :ref:`ext_authz response + // ` for invalid header & + // query parameter mutations. If the side stream response is invalid, it will send a local reply + // to the downstream request with status HTTP 500 Internal Server Error. + // + // Note that headers_to_remove & query_parameters_to_remove are validated, but invalid elements in + // those fields should not affect any headers & thus will not cause the filter to send a local + // reply. + // + // When set to false, any invalid mutations will be visible to the rest of envoy and may cause + // unexpected behavior. + // + // If you are using ext_authz with an untrusted ext_authz server, you should set this to true. + bool validate_mutations = 24; + // Specifies a list of metadata namespaces whose values, if present, will be passed to the // ext_authz service. The :ref:`filter_metadata ` // is passed as an opaque ``protobuf::Struct``.