API for Unified Header Validators (#21172)

API for Unified Header Validators Signed-off-by: Yan Avlasov <yavlasov@google.com> Mirrored from https://github.com/envoyproxy/envoy @ e569ce06101932cfe3ccb710c3c60b92dd09464b
3 years ago · d518718090
parent 683ffbc45d
commit d518718090
6 changed files with 172 additions and 1 deletions
--- a/1
+++ b/1
@ -222,6 +222,7 @@ proto_library(
        "//envoy/extensions/formatter/req_without_query/v3:pkg",
        "//envoy/extensions/health_checkers/redis/v3:pkg",
        "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
+        "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
        "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
        "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
        "//envoy/extensions/http/stateful_session/cookie/v3:pkg",
--- a/envoy/config/core/v3/protocol.proto
+++ b/envoy/config/core/v3/protocol.proto
@ -319,6 +319,9 @@ message Http1ProtocolOptions {
  // .. attention::
  //   Enabling this option might lead to request smuggling vulnerability, especially if traffic
  //   is proxied via multiple layers of proxies.
+  // [#comment:TODO: This field is ignored when the
+  // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>`
+  // is present.]
  bool allow_chunked_length = 6;

  // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate
--- a/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+++ b/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]

-// [#next-free-field: 50]
+// [#next-free-field: 51]
 message HttpConnectionManager {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@ -403,6 +403,10 @@ message HttpConnectionManager {
      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // Additional HTTP/1 settings that are passed to the HTTP/1 codec.
+  // [#comment:TODO: The following fields are ignored when the
+  // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>`
+  // is present:
+  // 1. :ref:`allow_chunked_length <envoy_v3_api_field_config.core.v3.Http1ProtocolOptions.allow_chunked_length>`]
  config.core.v3.Http1ProtocolOptions http_protocol_options = 8;

  // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec.
@ -660,6 +664,9 @@ message HttpConnectionManager {
  // for details of normalization.
  // Note that Envoy does not perform
  // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`_
+  // [#comment:TODO: This field is ignored when the
+  // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>`
+  // is present.]
  google.protobuf.BoolValue normalize_path = 30;

  // Determines if adjacent slashes in the path are merged into one before any processing of
@ -667,6 +674,9 @@ message HttpConnectionManager {
  // setting this option, incoming requests with path `//dir///file` will not match against route
  // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of
  // `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
+  // [#comment:TODO: This field is ignored when the
+  // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>`
+  // is present.]
  bool merge_slashes = 33;

  // Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c).
@ -674,6 +684,9 @@ message HttpConnectionManager {
  // runtime variable.
  // The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>` runtime
  // variable can be used to apply the action to a portion of all requests.
+  // [#comment:TODO: This field is ignored when the
+  // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>`
+  // is present.]
  PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45;

  // The configuration of the request ID extension. This includes operations such as
@ -765,6 +778,30 @@ message HttpConnectionManager {
  // If this config is set, the Proxy-Status HTTP response header field is
  // populated. By default, it is not.
  ProxyStatusConfig proxy_status_config = 49;
+
+  // Configuration options for Header Validation (UHV).
+  // UHV is an extensible mechanism for checking validity of HTTP requests as well as providing
+  // normalization for request attributes, such as URI path.
+  // If the typed_header_validation_config is present it overrides the following options:
+  // ``normalize_path``, ``merge_slashes``, ``path_with_escaped_slashes_action``
+  // ``http_protocol_options.allow_chunked_length``.
+  //
+  // The default UHV checks the following:
+  //
+  // #. HTTP/1 header map validity according to `RFC 7230 section 3.2<https://datatracker.ietf.org/doc/html/rfc7230#section-3.2>`_
+  // #. Syntax of HTTP/1 request target URI and response status
+  // #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2<https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2`_
+  // #. Syntax of HTTP/2 pseudo headers
+  // #. HTTP/3 header map validity according to `draft standard <https://datatracker.ietf.org/doc/html/draft-ietf-quic-http-34>`_
+  // #. Syntax of HTTP/3 pseudo headers
+  // #. Syntax of ``Content-Length`` and ``Transfer-Encoding``
+  // #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers
+  // #. Normalization of the URI path according to `Normalization and Comparison <https://datatracker.ietf.org/doc/html/rfc3986#section-6>`_
+  //    without `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_
+  //
+  // [#not-implemented-hide:]
+  // [#extension-category: envoy.http.header_validators]
+  config.core.v3.TypedExtensionConfig typed_header_validation_config = 50;
 }

 // The configuration to customize local reply returned by Envoy.
--- a/envoy/extensions/http/header_validators/envoy_default/v3/BUILD
+++ b/envoy/extensions/http/header_validators/envoy_default/v3/BUILD
@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)
--- a/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto
+++ b/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto
@ -0,0 +1,120 @@
+syntax = "proto3";
+
+package envoy.extensions.http.header_validators.envoy_default.v3;
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.http.header_validators.envoy_default.v3";
+option java_outer_classname = "HeaderValidatorProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_validators/envoy_default/v3;envoy_defaultv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Envoy's default Header Validator config]
+
+// This extension validates that HTTP request and response headers are well formed according to respective RFCs.
+//
+// #. HTTP/1 header map validity according to `RFC 7230 section 3.2 <https://datatracker.ietf.org/doc/html/rfc7230#section-3.2>`_
+// #. Syntax of HTTP/1 request target URI and response status
+// #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2 <https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2>`_
+// #. Syntax of HTTP/2 pseudo headers
+// #. HTTP/3 header map validity according to `draft standard <https://datatracker.ietf.org/doc/html/draft-ietf-quic-http-34>`_
+// #. Syntax of HTTP/3 pseudo headers
+// #. Syntax of Content-Length and Transfer-Encoding
+// #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers
+// #. Normalization of the URI path according to `Normalization and Comparison <https://datatracker.ietf.org/doc/html/rfc3986#section-6>`_
+//    without `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_
+//
+message HeaderValidatorConfig {
+  message UriPathNormalizationOptions {
+    // Determines the action for requests that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path.
+    // This operation occurs before URL normalization and the merge slashes transformations if they were enabled.
+    enum PathWithEscapedSlashesAction {
+      // Default behavior specific to implementation (i.e. Envoy) of this configuration option.
+      // Envoy, by default, takes the ``KEEP_UNCHANGED`` action.
+      // NOTE: the implementation may change the default behavior at-will.
+      IMPLEMENTATION_SPECIFIC_DEFAULT = 0;
+
+      // Keep escaped slashes.
+      KEEP_UNCHANGED = 1;
+
+      // Reject client request with the 400 status. gRPC requests will be rejected with the ``INTERNAL`` (13) error code.
+      // The ``http#.downstream_rq_failed_path_normalization`` counter is incremented for each rejected request.
+      REJECT_REQUEST = 2;
+
+      // Unescape ``%2F`` and ``%5C`` sequences and redirect the request to the new path if these sequences were present.
+      // The redirect occurs after path normalization and merge slashes transformations if they were configured.
+      // NOTE: gRPC requests will be rejected with the ``INTERNAL`` (13) error code.
+      // This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to
+      // traverse all parties: downstream client, intermediate proxies, Envoy and upstream server.
+      // The ``http#.downstream_rq_redirected_with_normalized_path`` counter is incremented for each
+      // redirected request.
+      UNESCAPE_AND_REDIRECT = 3;
+
+      // Unescape ``%2F`` and ``%5C`` sequences.
+      // Note: this option should not be enabled if intermediaries perform path based access control as
+      // it may lead to path confusion vulnerabilities.
+      UNESCAPE_AND_FORWARD = 4;
+    }
+
+    // Should paths be normalized according to RFC 3986?
+    // This operation overwrites the original request URI path and the new path is used for processing of
+    // the request by HTTP filters and proxied to the upstream service.
+    // Envoy will respond with 400 to requests with malformed paths that fail path normalization.
+    // The default behavior is to normalize the path.
+    // This value may be overridden by the runtime variable
+    // :ref:`http_connection_manager.normalize_path<config_http_conn_man_runtime_normalize_path>`.
+    // See `Normalization and Comparison <https://datatracker.ietf.org/doc/html/rfc3986#section-6>`_
+    // for details of normalization.
+    // Note that Envoy does not perform
+    // `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_
+    // URI path normalization can be applied to a portion of requests by setting the
+    // ``envoy_default_header_validator.path_normalization`` runtime value.
+    bool skip_path_normalization = 1;
+
+    // Determines if adjacent slashes in the path are merged into one.
+    // This operation overwrites the original request URI path and the new path is used for processing of
+    // the request by HTTP filters and proxied to the upstream service.
+    // Setting this option to true will cause incoming requests with path ``//dir///file`` to not match against
+    // route with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of
+    // `HTTP spec <https://datatracker.ietf.org/doc/html/rfc3986>`_ and is provided for convenience.
+    // Merging of slashes in URI path can be applied to a portion of requests by setting the
+    // ``envoy_default_header_validator.merge_slashes`` runtime value.
+    bool skip_merging_slashes = 2;
+
+    // The action to take when request URL path contains escaped slash sequences (``%2F``, ``%2f``, ``%5C`` and ``%5c``).
+    // This operation may overwrite the original request URI path and the new path is used for processing of
+    // the request by HTTP filters and proxied to the upstream service.
+    PathWithEscapedSlashesAction path_with_escaped_slashes_action = 3;
+  }
+
+  message Http1ProtocolOptions {
+    // Allows Envoy to process HTTP/1 requests/responses with both ``Content-Length`` and ``Transfer-Encoding``
+    // headers set. By default such messages are rejected, but if option is enabled - Envoy will
+    // remove the ``Content-Length`` header and process the message.
+    // See `RFC7230, sec. 3.3.3 <https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3>`_ for details.
+    //
+    // .. attention::
+    //   Enabling this option might lead to request smuggling vulnerabilities, especially if traffic
+    //   is proxied via multiple layers of proxies.
+    bool allow_chunked_length = 1;
+  }
+
+  Http1ProtocolOptions http1_protocol_options = 1;
+
+  // The URI path normalization options.
+  // By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions
+  // <envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions>`.
+  // URI path transformations specified by the ``uri_path_normalization_options`` configuration can be applied to a portion
+  // of requests by setting the ``envoy_default_header_validator.uri_path_transformations`` runtime value.
+  // Caution: disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service
+  // selection.
+  UriPathNormalizationOptions uri_path_normalization_options = 2;
+
+  // Restrict HTTP methods to these defined in the `RFC 7231 section 4.1 <https://datatracker.ietf.org/doc/html/rfc7231#section-4.1>`_
+  // Envoy will respond with 400 to requests with disallowed methods.
+  // By default methods with arbitrary names are accepted.
+  bool restrict_http_methods = 3;
+}
--- a/versioning/BUILD
+++ b/versioning/BUILD
@ -159,6 +159,7 @@ proto_library(
        "//envoy/extensions/formatter/req_without_query/v3:pkg",
        "//envoy/extensions/health_checkers/redis/v3:pkg",
        "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
+        "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
        "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
        "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
        "//envoy/extensions/http/stateful_session/cookie/v3:pkg",