ext_proc: Check validity of the :status header #17596
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Restrict the values of the ":status" header that an external processor can set in both a "header mutation" in the response to a header request, or in an "immediate response" message, to avoid setting certain header values that will break the proxy. Specifically, ignore attempts to set the header to a value < 200, or to an invalid integer. Also ignore attempts to set multiple values for any system header (beginning with ":"). Signed-off-by: Gregory Brail <gregbrail@google.com>
|
This should fix #17570 opened by @ikepolinsky |
snowp
reviewed
Aug 9, 2021
| const auto status_code = response.has_status() ? response.status().code() : 200; | ||
| auto status_code = response.has_status() ? response.status().code() : DefaultImmediateStatus; | ||
| if (!MutationUtils::isValidHttpStatus(status_code)) { | ||
| ENVOY_LOG(debug, "Ignoring attempt to set invalid HTTP status {}", status_code); |
There was a problem hiding this comment.
Would it make sense to signal an error to the processing server if we get back an invalid status code in the response? Might make it easier for operators to understand that something is misconfigured
There was a problem hiding this comment.
Right now we don't have a mechanism to do that. That applies to attempts to set invalid headers as well as attempts to set an invalid status. I'm not sure what would be a good way -- for instance, we could send a list of error messages on the next message that we send to the processor, or we could introduce a third set of messages (request, response, and response status) to the protocol -- but I feel like either of these would make things more complicated and make it harder to write a processor.
One thing we should probably do is introduce another statistic so that there is a way to count the number of invalid responses by looking at a stat instead of requiring that people turn on debug.
There was a problem hiding this comment.
Yeah I think a statistic would be good, enabling debug logging is often not an option when debugging production systems due the log volume
Maybe follow up with that in another PR?
snowp
reviewed
Aug 9, 2021
| return true; | ||
| } | ||
|
|
||
| // Ignore attempts to append a second value to any system header, as in general those |
There was a problem hiding this comment.
I think these are usually referred to as psuedo headers, not system headers
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 11, 2021
* main: (687 commits) ci: set build debug information from env (envoyproxy#17635) ext_authz: do the authentication even the direct response is set (envoyproxy#17546) upstream: various cleanups in connection pool code (envoyproxy#17644) owners: promote Dmitry to maintainer (envoyproxy#17642) quiche: client session supports creating bidi stream (envoyproxy#17543) Update HTTP/2 METADATA documentation. (envoyproxy#17637) ext_proc: Check validity of the :status header (envoyproxy#17596) test: add ASSERT indicating that gRPC stream has not been started yet (envoyproxy#17614) ensure that the inline cookie header will be folded correctly (envoyproxy#17560) cluster_manager: Make ClusterEntry a class instead of a struct (envoyproxy#17616) owners: make Raúl a Thrift senior extension maintainer (envoyproxy#17641) quiche: update QUICHE dependency (envoyproxy#17618) Delete mock for removed RouteEntry::perFilterConfig() method (envoyproxy#17623) REPO_LAYOUT.md: fix outdated link (envoyproxy#17626) hcm: forbid use of detection extensions with use_remote_addr/xff_num_trusted_hops (envoyproxy#17558) thrift proxy: add request shadowing support (envoyproxy#17544) ext_proc: Ensure that timer is always cancelled (envoyproxy#17569) Proposal: Add CachePolicy interface to allow for custom cache behavior (envoyproxy#17362) proto: fix verify to point at v3 only (envoyproxy#17622) api: move generic matcher proto to its own package (envoyproxy#17096) ...
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 16, 2021
* main: (687 commits) ci: set build debug information from env (envoyproxy#17635) ext_authz: do the authentication even the direct response is set (envoyproxy#17546) upstream: various cleanups in connection pool code (envoyproxy#17644) owners: promote Dmitry to maintainer (envoyproxy#17642) quiche: client session supports creating bidi stream (envoyproxy#17543) Update HTTP/2 METADATA documentation. (envoyproxy#17637) ext_proc: Check validity of the :status header (envoyproxy#17596) test: add ASSERT indicating that gRPC stream has not been started yet (envoyproxy#17614) ensure that the inline cookie header will be folded correctly (envoyproxy#17560) cluster_manager: Make ClusterEntry a class instead of a struct (envoyproxy#17616) owners: make Raúl a Thrift senior extension maintainer (envoyproxy#17641) quiche: update QUICHE dependency (envoyproxy#17618) Delete mock for removed RouteEntry::perFilterConfig() method (envoyproxy#17623) REPO_LAYOUT.md: fix outdated link (envoyproxy#17626) hcm: forbid use of detection extensions with use_remote_addr/xff_num_trusted_hops (envoyproxy#17558) thrift proxy: add request shadowing support (envoyproxy#17544) ext_proc: Ensure that timer is always cancelled (envoyproxy#17569) Proposal: Add CachePolicy interface to allow for custom cache behavior (envoyproxy#17362) proto: fix verify to point at v3 only (envoyproxy#17622) api: move generic matcher proto to its own package (envoyproxy#17096) ... Signed-off-by: Michael Puncel <mpuncel@squareup.com>
leyao-daily
pushed a commit
to leyao-daily/envoy
that referenced
this pull request
Sep 30, 2021
Restrict the values of the ":status" header that an external processor can set in both a "header mutation" in the response to a header request, or in an "immediate response" message, to avoid setting certain header values that will break the proxy. Specifically, ignore attempts to set the header to a value < 200, or to an invalid integer. Also ignore attempts to set multiple values for any system header (beginning with ":"). Signed-off-by: Gregory Brail <gregbrail@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Message: Restrict the values of the ":status" header that an external
processor can set in both a "header mutation" in the response to a
header request, or in an "immediate response" message, to avoid setting
certain header values that will break the proxy.
Additional Description: Specifically, ignore attempts to set the header to a value < 200,
or to an invalid integer. Also ignore attempts to set multiple values
for any system header (beginning with ":").
Risk Level: Low -- reduces risk of a problem with invalid status codes
Testing: New unit and integration tests
Docs Changes:
Release Notes:
Platform Specific Features:
Signed-off-by: Gregory Brail gregbrail@google.com