http: auditing Path() calls for safety with Pathless CONNECT #10851
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Alyssa Wilk <[email protected]>
alyssawilk
requested review from
lizan,
mattklein123,
snowp and
zuercher
as code owners
Signed-off-by: Alyssa Wilk <[email protected]>
yanavlasov
reviewed
Apr 21, 2020
| @@ -29,6 +29,7 @@ absl::optional<std::string> canonicalizePath(absl::string_view original_path) { | |||
|
|
|||
| /* static */ | |||
| bool PathUtil::canonicalPath(RequestHeaderMap& headers) { | |||
| ASSERT(headers.Path()); | |||
There was a problem hiding this comment.
Is this invariant guaranteed?
mattklein123
requested changes
Apr 21, 2020
| @@ -36,6 +36,12 @@ class Common { | |||
| */ | |||
| static bool hasGrpcContentType(const Http::RequestOrResponseHeaderMap& headers); | |||
|
|
|||
| /** | |||
| * @param headers the headers to parse. | |||
| * @return bool indicating whether the header is a gRPC request header. | |||
There was a problem hiding this comment.
nit: what is a gRPC request header? Can you clarify? Maybe a more descriptive name also?
There was a problem hiding this comment.
Sorry super pedantically can we call this isGrpcRequestHeaders? (It's confusing to understand if we are operating on a single header or a group of headers)
| @@ -95,9 +95,11 @@ Tracing::SpanPtr Driver::startSpan(const Tracing::Config& config, | |||
| } | |||
|
|
|||
| if (!should_trace.has_value()) { | |||
| absl::string_view path = | |||
There was a problem hiding this comment.
nit: const, similar elsewhere if possible.
Signed-off-by: Alyssa Wilk <[email protected]>
Signed-off-by: Alyssa Wilk <[email protected]>
Signed-off-by: Alyssa Wilk <[email protected]>
|
Overnight fuzzing looks good! |
penguingao
pushed a commit
to penguingao/envoy
that referenced
this pull request
Apr 22, 2020
…oxy#10851) This should result in all Path() calls not altered in envoyproxy#10720 being safe for path-less CONNECT. The major change for this PR is that requests without a path will not be considered gRPC requests. They're still currently rejected at the HCM, but when they are allowed through they will simply not be gRPC rather than causing crashes. Risk Level: medium (L7 code refactor) Testing: new unit tests Docs Changes: n/a Release Notes: n/a Part of envoyproxy#1630 envoyproxy#1451 Signed-off-by: Alyssa Wilk <[email protected]> Signed-off-by: pengg <[email protected]>
spenceral
added a commit
to spenceral/envoy
that referenced
this pull request
Apr 23, 2020
Signed-off-by: Spencer Lewis <[email protected]> * master: (46 commits) allow specifying the API version of bootstrap from the command line (envoyproxy#10803) config: adding connect matcher (unused) (envoyproxy#10894) Add missing dependency on `assert.h` (envoyproxy#10918) Lower heap and disk space used by kafka tests (envoyproxy#10915) [tools] handle commits merged without PR in deprecated script (envoyproxy#10723) tools: including working tree in modified_since_last_github_commit.sh diff. (envoyproxy#10911) rocketmq_proxy: implement rocketmq proxy [docs] PR template to include commit message (envoyproxy#10900) docs: breaking long word to stop content overflow. (envoyproxy#10880) Delete legacy connection pool code. (envoyproxy#10881) wasm: clarify how configuration is passed (envoyproxy#10782) issue template: clarify security/crash reporting (envoyproxy#10885) api/faq: add entry on incremental xDS. (envoyproxy#10876) router: retry overloaded requests (envoyproxy#10847) Remove inclusion of pthread.h, not needed for linux compilation (envoyproxy#10895) request_id: Add option to always set request id in response (envoyproxy#10808) xray: Use correct types for segment document output (envoyproxy#10834) router: fixing a watermark bug for streaming retries (envoyproxy#10866) http: auditing Path() calls for safety with Pathless CONNECT (envoyproxy#10851) Remove hardcoded type urls Part.2 (envoyproxy#10848) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should result in all Path() calls not altered in #10720 being safe for path-less CONNECT.
The major change for this PR is that requests without a path will not be considered gRPC requests. They're still currently rejected at the HCM, but when they are allowed through they will simply not be gRPC rather than causing crashes.
Risk Level: medium (L7 code refactor)
Testing: new unit tests
Docs Changes: n/a
Release Notes: n/a
Part of #1630 #1451