envoyproxy · KBaichoo · Feb 10, 2023 · Jan 13, 2023 · Jan 23, 2023 · Jan 25, 2023
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -11,10 +11,12 @@ minor_behavior_changes:
 - area: healthcheck
   change: |
     If active HC is enabled and a host is ejected by outlier detection, a successful active health check unejects the host and consider it healthy. This also clears all the outlier detection counters. This behavior change can be reverted by setting ``envoy.reloadable_features_successful_active_health_check_uneject_host`` to ``false``.
-
 - area: local_ratelimit
   change: |
     Tokens from local descriptor's token buckets are burned before tokens from the default token bucket.
+- area: http2
+  change: |
+    Request authorities are now validated with a library function from QUICHE rather than nghttp2. This behavior change can be reverted by setting ``envoy.reloadable_features.http2_validate_authority_with_quiche`` to ``false``.
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*

diff --git a/source/common/http/BUILD b/source/common/http/BUILD
@@ -511,6 +511,7 @@ envoy_cc_library(
     hdrs = ["header_utility.h"],
     external_deps = [
         "nghttp2",
+        "quiche_http2_adapter",
     ],
     deps = [
         ":header_map_lib",

diff --git a/source/common/http/header_utility.cc b/source/common/http/header_utility.cc
@@ -12,6 +12,7 @@
 
 #include "absl/strings/match.h"
 #include "nghttp2/nghttp2.h"
+#include "quiche/http2/adapter/header_validator.h"
 
 namespace Envoy {
 namespace Http {
@@ -190,17 +191,22 @@ bool HeaderUtility::schemeIsValid(const absl::string_view scheme) {
 }
 
 bool HeaderUtility::headerValueIsValid(const absl::string_view header_value) {
-  return nghttp2_check_header_value(reinterpret_cast<const uint8_t*>(header_value.data()),
-                                    header_value.size()) != 0;
+  return http2::adapter::HeaderValidator::IsValidHeaderValue(header_value,
+                                                             http2::adapter::ObsTextOption::kAllow);
 }
 
 bool HeaderUtility::headerNameContainsUnderscore(const absl::string_view header_name) {
   return header_name.find('_') != absl::string_view::npos;
 }
 
 bool HeaderUtility::authorityIsValid(const absl::string_view header_value) {
-  return nghttp2_check_authority(reinterpret_cast<const uint8_t*>(header_value.data()),
-                                 header_value.size()) != 0;
+  if (Runtime::runtimeFeatureEnabled(
+          "envoy.reloadable_features.http2_validate_authority_with_quiche")) {
+    return http2::adapter::HeaderValidator::IsValidAuthority(header_value);
+  } else {
+    return nghttp2_check_authority(reinterpret_cast<const uint8_t*>(header_value.data()),
+                                   header_value.size()) != 0;
+  }
 }
 
 bool HeaderUtility::isSpecial1xx(const ResponseHeaderMap& response_headers) {

diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -44,6 +44,7 @@ RUNTIME_GUARD(envoy_reloadable_features_enable_intermediate_ca);
 RUNTIME_GUARD(envoy_reloadable_features_enable_update_listener_socket_options);
 RUNTIME_GUARD(envoy_reloadable_features_finish_reading_on_decode_trailers);
 RUNTIME_GUARD(envoy_reloadable_features_fix_hash_key);
+RUNTIME_GUARD(envoy_reloadable_features_http2_validate_authority_with_quiche);
 RUNTIME_GUARD(envoy_reloadable_features_http3_sends_early_data);
 RUNTIME_GUARD(envoy_reloadable_features_http_filter_avoid_reentrant_local_reply);
 RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment);

diff --git a/test/fuzz/BUILD b/test/fuzz/BUILD
@@ -63,6 +63,9 @@ envoy_cc_test_library(
     name = "utility_lib",
     srcs = ["utility.cc"],
     hdrs = ["utility.h"],
+    external_deps = [
+        "quiche_http2_adapter",
+    ],
     deps = [
         ":common_proto_cc_proto",
         "//source/common/common:empty_string",

diff --git a/test/fuzz/utility.h b/test/fuzz/utility.h
@@ -13,7 +13,7 @@
 #include "test/mocks/upstream/host.h"
 #include "test/test_common/utility.h"
 
-#include "nghttp2/nghttp2.h"
+#include "quiche/http2/adapter/header_validator.h"
 
 // Strong assertion that applies across all compilation modes and doesn't rely
 // on gtest, which only provides soft fails that don't trip oss-fuzz failures.
@@ -53,7 +53,7 @@ inline std::string replaceInvalidHostCharacters(absl::string_view string) {
   std::string filtered;
   filtered.reserve(string.length());
   for (const char& c : string) {
-    if (nghttp2_check_authority(reinterpret_cast<const uint8_t*>(&c), 1)) {
+    if (http2::adapter::HeaderValidator::IsValidAuthority(absl::string_view(&c, 1))) {
       filtered.push_back(c);
     } else {
       filtered.push_back('0');