Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: Add disableMergeSlash and escapedSlashesAction to ClientTrafficPolicy #2384

Merged
merged 3 commits into from
Jan 6, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/v1alpha1/clienttrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ type ClientTrafficPolicySpec struct {
//
// +optional
TLS *TLSSettings `json:"tls,omitempty"`
// Path enables managing how the incoming path set by clients can be normalized.
//
// +optional
Path *PathSettings `json:"path,omitempty"`
}

// HTTP3Settings provides HTTP/3 configuration on the listener.
Expand Down
54 changes: 54 additions & 0 deletions api/v1alpha1/pathsettings_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

// PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c
// sequences in the URI path.
// +kubebuilder:validation:Enum=KeepUnchanged;RejectRequest;UnescapeForward;UnescapeRedirect
type PathEscapedSlashAction string

const (
// KeepUnchangedAction keeps escaped slashes as they arrive without changes
KeepUnchangedAction PathEscapedSlashAction = "KeepUnchanged"
// RejectRequestAction rejects client requests containing escaped slashes
// with a 400 status. gRPC requests will be rejected with the INTERNAL (13)
// error code.
// The "httpN.downstream_rq_failed_path_normalization" counter is incremented
// for each rejected request.
RejectRequestAction PathEscapedSlashAction = "RejectRequest"
// UnescapeRedirect unescapes %2F and %5C sequences and redirects to the new path
// if these sequences were present.
//
// Redirect occurs after path normalization and merge slashes transformations if
// they were configured. gRPC requests will be rejected with the INTERNAL (13)
// error code.
// This option minimizes possibility of path confusion exploits by forcing request
// with unescaped slashes to traverse all parties: downstream client, intermediate
// proxies, Envoy and upstream server.
// The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented
// for each redirected request.
UnescapeRedirect PathEscapedSlashAction = "UnescapeRedirect"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

prefer UnescapeAndRedirect

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed

// UnescapeForward unescapes %2F and %5C sequences and forwards the request.
// Note: this option should not be enabled if intermediaries perform path based access
// control as it may lead to path confusion vulnerabilities.
UnescapeForward PathEscapedSlashAction = "UnescapeForward"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

prefer UnescapeAndForward

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed

)

// PathSettings provides settings that managing how the incoming path set by clients is handled.
type PathSettings struct {
// EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
// should be handled.
// The default is UnescapeRedirect.
//
// +optional
EscapedSlashesAction *PathEscapedSlashAction `json:"escapedSlashesAction,omitempty"`
// DisableMergeSlashes allows disabling the default configuration of merging adjacent
// slashes in the path.
// Note that slash merging is not part of the HTTP spec and is provided for convenience.
//
// +optional
DisableMergeSlashes *bool `json:"disableMergeSlashes,omitempty"`
}
30 changes: 30 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,27 @@ spec:
http3:
description: HTTP3 provides HTTP/3 configuration on the listener.
type: object
path:
description: Path enables managing how the incoming path set by clients
can be normalized.
properties:
disableMergeSlashes:
description: DisableMergeSlashes allows disabling the default
configuration of merging adjacent slashes in the path. Note
that slash merging is not part of the HTTP spec and is provided
for convenience.
type: boolean
escapedSlashesAction:
description: EscapedSlashesAction determines how %2f, %2F, %5c,
or %5C sequences in the path URI should be handled. The default
is UnescapeRedirect.
enum:
- KeepUnchanged
- RejectRequest
- UnescapeForward
- UnescapeRedirect
type: string
type: object
suppressEnvoyHeaders:
description: SuppressEnvoyHeaders configures the Envoy Router filter
to suppress the "x-envoy-' headers from both requests and responses.
Expand Down
27 changes: 27 additions & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ _Appears in:_
| `enableProxyProtocol` _boolean_ | EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. |
| `http3` _[HTTP3Settings](#http3settings)_ | HTTP3 provides HTTP/3 configuration on the listener. |
| `tls` _[TLSSettings](#tlssettings)_ | TLS settings configure TLS termination settings with the downstream client. |
| `path` _[PathSettings](#pathsettings)_ | Path enables managing how the incoming path set by clients can be normalized. |



Expand Down Expand Up @@ -1285,6 +1286,32 @@ _Appears in:_
| `resources` _object (keys:string, values:string)_ | Resources is a set of labels that describe the source of a log entry, including envoy node info. It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |


#### PathEscapedSlashAction

_Underlying type:_ `string`

PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c sequences in the URI path.

_Appears in:_
- [PathSettings](#pathsettings)



#### PathSettings



PathSettings provides settings that managing how the incoming path set by clients is handled.

_Appears in:_
- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)

| Field | Description |
| --- | --- |
| `escapedSlashesAction` _[PathEscapedSlashAction](#pathescapedslashaction)_ | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI should be handled. The default is UnescapeRedirect. |
| `disableMergeSlashes` _boolean_ | DisableMergeSlashes allows disabling the default configuration of merging adjacent slashes in the path. Note that slash merging is not part of the HTTP spec and is provided for convenience. |


#### ProviderType

_Underlying type:_ `string`
Expand Down
Loading