fix possible crash of admin /config_dump (envoyproxy#28849)

---------

Signed-off-by: wbpcode <[email protected]>

source/common/protobuf/utility.cc

@@ -409,7 +409,15 @@ bool redactOpaque(Protobuf::Message* message, bool ancestor_is_sensitive,
       message_factory.GetPrototype(concrete_descriptor)->New());
 
   // Finally we can unpack, redact, and repack the opaque message using the provided callbacks.
-  unpack(typed_message.get(), reflection, value_field_descriptor);
+
+  // Note: the content of opaque types may contain illegal content that mismatches the type_url
+  // which may cause unpacking to fail. We catch the exception here to avoid crashing Envoy.
+  TRY_ASSERT_MAIN_THREAD { unpack(typed_message.get(), reflection, value_field_descriptor); }
+  END_TRY CATCH(const EnvoyException& e, {
+    ENVOY_LOG_MISC(warn, "Could not unpack {} with type URL {}: {}", opaque_type_name, type_url,
+                   e.what());
+    return false;
+  });
   redact(typed_message.get(), ancestor_is_sensitive);
   repack(typed_message.get(), reflection, value_field_descriptor);
   return true;

test/common/protobuf/utility_test.cc

@@ -1091,6 +1091,22 @@ type_url: type.googleapis.com/envoy.unknown.Message
   EXPECT_TRUE(TestUtility::protoEqual(expected, actual));
 }
 
+TYPED_TEST(TypedStructUtilityTest, RedactTypedStructWithErrorContent) {
+  envoy::test::Sensitive actual;
+  TestUtility::loadFromYaml(R"EOF(
+insensitive_typed_struct:
+  type_url: type.googleapis.com/envoy.test.Sensitive
+  value:
+    # The target field is string but value here is int.
+    insensitive_string: 123
+    # The target field is int but value here is string.
+    insensitive_int: "abc"
+)EOF",
+                            actual);
+
+  EXPECT_NO_THROW(MessageUtil::redact(actual));
+}
+
 TYPED_TEST(TypedStructUtilityTest, RedactEmptyTypeUrlTypedStruct) {
   TypeParam actual;
   TypeParam expected = actual;