From 776dc955b92d863ad3c2bc266056c5c6efb7360e Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Mon, 20 Aug 2018 22:30:13 +0000 Subject: [PATCH] api: limit regexes to 1024 chars. (#4198) This avoids stack overflow in libc++ regex parsing libraries. There doesn't seem to be a good reason to support arbitrary long regexes in Envoy in general. Discovered by oss-fuzz, resolves ClusterFuzz issues https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8060 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8950. Risk level: Low Testing: Added corpus entry. Mirrored from https://github.com/envoyproxy/envoy @ 0337872261f6d459c9d2202fe2381b42f0b2f2fd --- envoy/api/v2/route/route.proto | 8 ++++---- envoy/config/metrics/v2/stats.proto | 2 +- envoy/type/matcher/string.proto | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/envoy/api/v2/route/route.proto b/envoy/api/v2/route/route.proto index a497a187..78e320ab 100644 --- a/envoy/api/v2/route/route.proto +++ b/envoy/api/v2/route/route.proto @@ -267,7 +267,7 @@ message RouteMatch { // * The regex */b[io]t* matches the path */bot* // * The regex */b[io]t* does not match the path */bite* // * The regex */b[io]t* does not match the path */bit/bot* - string regex = 3; + string regex = 3 [(validate.rules).string.max_bytes = 1024]; } // Indicates that prefix/path matching should be case insensitive. The default @@ -763,7 +763,7 @@ message VirtualCluster { // * The regex */rides/\d+* matches the path */rides/0* // * The regex */rides/\d+* matches the path */rides/123* // * The regex */rides/\d+* does not match the path */rides/123/456* - string pattern = 1 [(validate.rules).string.min_bytes = 1]; + string pattern = 1 [(validate.rules).string = {min_bytes: 1, max_bytes: 1024}]; // Specifies the name of the virtual cluster. The virtual cluster name as well // as the virtual host name are used when emitting statistics. The statistics are emitted by the @@ -959,7 +959,7 @@ message HeaderMatcher { // * The regex *\d{3}* matches the value *123* // * The regex *\d{3}* does not match the value *1234* // * The regex *\d{3}* does not match the value *123.456* - string regex_match = 5; + string regex_match = 5 [(validate.rules).string.max_bytes = 1024]; // If specified, header match will be performed based on range. // The rule will match if the request header value is within this range. @@ -1009,7 +1009,7 @@ message HeaderMatcher { message QueryParameterMatcher { // Specifies the name of a key that must be present in the requested // *path*'s query string. - string name = 1 [(validate.rules).string.min_bytes = 1]; + string name = 1 [(validate.rules).string = {min_bytes: 1, max_bytes: 1024}]; // Specifies the value of the key. If the value is absent, a request // that contains the key in its query string will match, whether the diff --git a/envoy/config/metrics/v2/stats.proto b/envoy/config/metrics/v2/stats.proto index 121f59a9..f3471643 100644 --- a/envoy/config/metrics/v2/stats.proto +++ b/envoy/config/metrics/v2/stats.proto @@ -133,7 +133,7 @@ message TagSpecifier { // ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag // ``envoy.http_conn_manager_prefix`` will be added with the tag value // ``connection_manager_1``. - string regex = 2; + string regex = 2 [(validate.rules).string.max_bytes = 1024]; // Specifies a fixed tag value for the ``tag_name``. string fixed_value = 3; diff --git a/envoy/type/matcher/string.proto b/envoy/type/matcher/string.proto index afb419a6..4fdea1f5 100644 --- a/envoy/type/matcher/string.proto +++ b/envoy/type/matcher/string.proto @@ -44,6 +44,6 @@ message StringMatcher { // * The regex *\d{3}* matches the value *123* // * The regex *\d{3}* does not match the value *1234* // * The regex *\d{3}* does not match the value *123.456* - string regex = 4; + string regex = 4 [(validate.rules).string.max_bytes = 1024]; } }