[api] Fix header validations #10335

This enables "non-strict" header validations, that match the ones in place with Envoy's ASSERT(valid()) code. The default strict: true checks checked for RFC-compliance, which may break previously valid configs. Part of #10318 Signed-off-by: Asra Ali <asraa@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 97a76d991766d96df2e84a1f2e33b69cae844471
5 years ago · 6b88f378ee
parent 4f6fd7dc7d
commit 6b88f378ee
9 changed files with 60 additions and 42 deletions
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@ -4,8 +4,8 @@ BAZEL_SKYLIB_SHA256 = "1dde365491125a3db70731e25658dfdd3bc5dbdfd11b840b3e987ecf0
 OPENCENSUS_PROTO_GIT_SHA = "be218fb6bd674af7519b1850cdf8410d8cbd48e8"  # Dec 20, 2019
 OPENCENSUS_PROTO_SHA256 = "e3bbdc94375e86c0edfb2fc5851507e08a3f26ee725ffff7c5c0e73264bdfcde"

-PGV_GIT_SHA = "61843aea0c3ca81fe7a558caf75fa36789a6d16e"  # Feb 14, 2020
-PGV_SHA256 = "0cdadf1bf786fcd05944831bd23bfcdb15c7c8940405c476696c9560fb039e26"
+PGV_GIT_SHA = "ab56c3dd1cf9b516b62c5087e1ec1471bd63631e"  # Mar 11, 2020
+PGV_SHA256 = "3be12077affd1ebf8787001f5fba545cc5f1b914964dab4e0cc77c43fba03b41"

 GOOGLEAPIS_GIT_SHA = "82944da21578a53b74e547774cf62ed31a05b841"  # Dec 2, 2019
 GOOGLEAPIS_SHA = "a45019af4d3290f02eaeb1ce10990166978c807cb33a9692141a076ba46d1405"
--- a/envoy/api/v2/core/base.proto
+++ b/envoy/api/v2/core/base.proto
@ -235,17 +235,18 @@ message RuntimeFeatureFlag {
 // Header name/value pair.
 message HeaderValue {
  // Header name.
-  string key = 1 [
-    (validate.rules).string = {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME}
-  ];
+  string key = 1
+      [(validate.rules).string =
+           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];

  // Header value.
  //
  // The same :ref:`format specifier <config_access_log_format>` as used for
  // :ref:`HTTP access logging <config_access_log>` applies here, however
  // unknown header values are replaced with the empty string instead of `-`.
-  string value = 2
-      [(validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE}];
+  string value = 2 [
+    (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}
+  ];
 }

 // Header name/value pair plus option to control append behavior.
--- a/envoy/api/v2/route.proto
+++ b/envoy/api/v2/route.proto
@ -43,8 +43,9 @@ message RouteConfiguration {
  // will consider to be internal only. If they are found on external requests they will be cleaned
  // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
  // information.
-  repeated string internal_only_headers = 3
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string internal_only_headers = 3 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];

  // Specifies a list of HTTP headers that should be added to each response that
  // the connection manager encodes. Headers specified at this level are applied
@ -57,8 +58,9 @@ message RouteConfiguration {

  // Specifies a list of HTTP headers that should be removed from each response
  // that the connection manager encodes.
-  repeated string response_headers_to_remove = 5
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string response_headers_to_remove = 5 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];

  // Specifies a list of HTTP headers that should be added to each request
  // routed by the HTTP connection manager. Headers specified at this level are
@ -71,8 +73,9 @@ message RouteConfiguration {

  // Specifies a list of HTTP headers that should be removed from each request
  // routed by the HTTP connection manager.
-  repeated string request_headers_to_remove = 8
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string request_headers_to_remove = 8 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];

  // By default, headers that should be added/removed are evaluated from most to least specific:
  //
--- a/envoy/api/v2/route/route_components.proto
+++ b/envoy/api/v2/route/route_components.proto
@ -73,7 +73,7 @@ message VirtualHost {
  // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE.
  repeated string domains = 2 [(validate.rules).repeated = {
    min_items: 1
-    items {string {well_known_regex: HTTP_HEADER_VALUE}}
+    items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}}
  }];

  // The list of routes that will be matched, in order, for incoming requests.
@ -602,8 +602,9 @@ message RouteAction {
    message Header {
      // The name of the request header that will be used to obtain the hash
      // key. If the request header is not present, no hash will be produced.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];
    }

    // Envoy supports two types of cookie affinity:
@ -706,7 +707,8 @@ message RouteAction {
    // The case-insensitive name of this upgrade, e.g. "websocket".
    // For each upgrade type present in upgrade_configs, requests with
    // Upgrade: [upgrade_type] will be proxied upstream.
-    string upgrade_type = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}];
+    string upgrade_type = 1
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];

    // Determines if upgrades are available on this route. Defaults to true.
    google.protobuf.BoolValue enabled = 2;
@ -731,7 +733,7 @@ message RouteAction {
    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
    string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];

    // Multiple upstream clusters can be specified for a given route. The
    // request is routed to one of the upstream clusters based on weights
@ -1323,8 +1325,9 @@ message RateLimit {
      // The header name to be queried from the request headers. The header’s
      // value is used to populate the value of the descriptor entry for the
      // descriptor_key.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];

      // The key to use in the descriptor entry.
      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
@ -1445,7 +1448,8 @@ message HeaderMatcher {
  reserved 2, 3;

  // Specifies the name of the header in the request.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+  string name = 1
+      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];

  // Specifies how the header match will be performed to route the request.
  oneof header_match_specifier {
--- a/envoy/config/core/v3/base.proto
+++ b/envoy/config/core/v3/base.proto
@ -250,17 +250,18 @@ message HeaderValue {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue";

  // Header name.
-  string key = 1 [
-    (validate.rules).string = {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME}
-  ];
+  string key = 1
+      [(validate.rules).string =
+           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];

  // Header value.
  //
  // The same :ref:`format specifier <config_access_log_format>` as used for
  // :ref:`HTTP access logging <config_access_log>` applies here, however
  // unknown header values are replaced with the empty string instead of `-`.
-  string value = 2
-      [(validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE}];
+  string value = 2 [
+    (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}
+  ];
 }

 // Header name/value pair plus option to control append behavior.
--- a/envoy/config/route/v3/route.proto
+++ b/envoy/config/route/v3/route.proto
@ -45,8 +45,9 @@ message RouteConfiguration {
  // will consider to be internal only. If they are found on external requests they will be cleaned
  // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
  // information.
-  repeated string internal_only_headers = 3
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string internal_only_headers = 3 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];

  // Specifies a list of HTTP headers that should be added to each response that
  // the connection manager encodes. Headers specified at this level are applied
@ -59,8 +60,9 @@ message RouteConfiguration {

  // Specifies a list of HTTP headers that should be removed from each response
  // that the connection manager encodes.
-  repeated string response_headers_to_remove = 5
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string response_headers_to_remove = 5 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];

  // Specifies a list of HTTP headers that should be added to each request
  // routed by the HTTP connection manager. Headers specified at this level are
@ -73,8 +75,9 @@ message RouteConfiguration {

  // Specifies a list of HTTP headers that should be removed from each request
  // routed by the HTTP connection manager.
-  repeated string request_headers_to_remove = 8
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string request_headers_to_remove = 8 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];

  // By default, headers that should be added/removed are evaluated from most to least specific:
  //
--- a/envoy/config/route/v3/route_components.proto
+++ b/envoy/config/route/v3/route_components.proto
@ -77,7 +77,7 @@ message VirtualHost {
  // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE.
  repeated string domains = 2 [(validate.rules).repeated = {
    min_items: 1
-    items {string {well_known_regex: HTTP_HEADER_VALUE}}
+    items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}}
  }];

  // The list of routes that will be matched, in order, for incoming requests.
@ -561,8 +561,9 @@ message RouteAction {

      // The name of the request header that will be used to obtain the hash
      // key. If the request header is not present, no hash will be produced.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];
    }

    // Envoy supports two types of cookie affinity:
@ -680,7 +681,8 @@ message RouteAction {
    // The case-insensitive name of this upgrade, e.g. "websocket".
    // For each upgrade type present in upgrade_configs, requests with
    // Upgrade: [upgrade_type] will be proxied upstream.
-    string upgrade_type = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}];
+    string upgrade_type = 1
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];

    // Determines if upgrades are available on this route. Defaults to true.
    google.protobuf.BoolValue enabled = 2;
@ -707,7 +709,7 @@ message RouteAction {
    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
    string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];

    // Multiple upstream clusters can be specified for a given route. The
    // request is routed to one of the upstream clusters based on weights
@ -1308,8 +1310,9 @@ message RateLimit {
      // The header name to be queried from the request headers. The header’s
      // value is used to populate the value of the descriptor entry for the
      // descriptor_key.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];

      // The key to use in the descriptor entry.
      string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
@ -1442,7 +1445,8 @@ message HeaderMatcher {
  reserved "regex_match";

  // Specifies the name of the header in the request.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+  string name = 1
+      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];

  // Specifies how the header match will be performed to route the request.
  oneof header_match_specifier {
--- a/envoy/type/tracing/v2/custom_tag.proto
+++ b/envoy/type/tracing/v2/custom_tag.proto
@ -35,7 +35,8 @@ message CustomTag {
  // Header type custom tag with header name and default value.
  message Header {
    // Header name to obtain the value to populate the tag value.
-    string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+    string name = 1
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];

    // When the header does not exist,
    // the tag value will be populated with this default value if specified,
--- a/envoy/type/tracing/v3/custom_tag.proto
+++ b/envoy/type/tracing/v3/custom_tag.proto
@ -48,7 +48,8 @@ message CustomTag {
        "envoy.type.tracing.v2.CustomTag.Header";

    // Header name to obtain the value to populate the tag value.
-    string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+    string name = 1
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];

    // When the header does not exist,
    // the tag value will be populated with this default value if specified,