validate proto message before converting to any

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
envoyproxy · Oct 23, 2024 · 5403023 · 5403023
1 parent 7188dad
commit 5403023
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/internal/utils/protocov/protocov.go b/internal/utils/protocov/protocov.go
@@ -39,3 +39,18 @@ func ToAny(msg proto.Message) *anypb.Any {
 	}
 	return res
 }
+
+func ToAnyWithValidation(msg proto.Message) (*anypb.Any, error) {
+	// If the message has a ValidateAll method, call it before marshaling.
+	if validator, ok := msg.(interface{ ValidateAll() error }); ok {
+		if err := validator.ValidateAll(); err != nil {
+			return nil, err
+		}
+	}
+
+	any, err := anypb.New(msg)
+	if err != nil {
+		return nil, err
+	}
+	return any, nil
+}
diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go
@@ -26,6 +26,7 @@ import (
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/ir"
+	"github.com/envoyproxy/gateway/internal/utils/protocov"
 	"github.com/envoyproxy/gateway/internal/xds/types"
 )
 
@@ -75,7 +76,7 @@ func (*rbac) patchHCM(
 // buildHCMRBACFilter returns a RBAC filter from the provided IR listener.
 func buildHCMRBACFilter() (*hcmv3.HttpFilter, error) {
 	rbacProto := &rbacv3.RBAC{}
-	rbacAny, err := anypb.New(rbacProto)
+	rbacAny, err := protocov.ToAnyWithValidation(rbacProto)
 	if err != nil {
 		return nil, err
 	}
@@ -133,7 +134,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
 		return err
 	}
 
-	if cfgAny, err = anypb.New(rbacPerRoute); err != nil {
+	if cfgAny, err = protocov.ToAnyWithValidation(rbacPerRoute); err != nil {
 		return err
 	}
 
@@ -159,15 +160,15 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e
 		Name:   "ALLOW",
 		Action: rbacconfigv3.RBAC_ALLOW,
 	}
-	if allowAction, err = anypb.New(allow); err != nil {
+	if allowAction, err = protocov.ToAnyWithValidation(allow); err != nil {
 		return nil, err
 	}
 
 	deny := &rbacconfigv3.Action{
 		Name:   "DENY",
 		Action: rbacconfigv3.RBAC_DENY,
 	}
-	if denyAction, err = anypb.New(deny); err != nil {
+	if denyAction, err = protocov.ToAnyWithValidation(deny); err != nil {
 		return nil, err
 	}
 
@@ -316,11 +317,11 @@ func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherLi
 		})
 	}
 
-	if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil {
+	if ipMatcher, err = protocov.ToAnyWithValidation(ipRangeMatcher); err != nil {
 		return nil, err
 	}
 
-	if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil {
+	if sourceIPInput, err = protocov.ToAnyWithValidation(&networkinput.SourceIPInput{}); err != nil {
 		return nil, err
 	}
 
@@ -389,11 +390,11 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis
 			},
 		}
 
-		if inputPb, err = anypb.New(input); err != nil {
+		if inputPb, err = protocov.ToAnyWithValidation(input); err != nil {
 			return nil, err
 		}
 
-		if matcherPb, err = anypb.New(scopeMatcher); err != nil {
+		if matcherPb, err = protocov.ToAnyWithValidation(scopeMatcher); err != nil {
 			return nil, err
 		}
 
@@ -454,7 +455,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis
 			Path:   path,
 		}
 
-		if inputPb, err = anypb.New(input); err != nil {
+		if inputPb, err = protocov.ToAnyWithValidation(input); err != nil {
 			return nil, err
 		}
 
@@ -492,7 +493,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis
 				}
 			}
 
-			if matcherPb, err = anypb.New(&metadatav3.Metadata{
+			if matcherPb, err = protocov.ToAnyWithValidation(&metadatav3.Metadata{
 				Value: valueMatcher,
 			}); err != nil {
 				return nil, err