Enable base64/other UTF-8 encoding of non-UTF-8 proxy protocol TLVs
#32,430 opened on Feb 15, 2024
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (378 merged PRs in 30d)
Description
Title: Enable base64/other UTF-8 encoding of non-UTF-8 proxy protocol TLVs
Description:
The proxy protocol filter can write metadata derived from proxy protocol TLVs that isn't UTF-8, as disclosed in this security advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6. The fix for this was to sanitize non-UTF-8 binary TLVs and replace non-UTF-8 characters with !. However, there's no requirement for proxy protocol TLVs to be UTF-8 in the first place—any binary vector is valid.
For example, Azure TLVs are encoded as little-endian uint32s in the TLV, which can produce invalid UTF-8. In this case, sanitizing the UTF-8 solves the security issue but does so in a lossy way that prevents us from decoding useful information from the TLV for purposes such as allowing cloud traffic based on private link ID.
We'd like to add a flag in the Proxy Protocol filter that causes the filter to base64 encode the TLV before passing it on further into filter state/filter metadata. This would allow us to pass on all binary TLVs without lossy replacements.
I'm happy to contribute the change to Envoy; it would likely involve a small API change.
[optional Relevant Links:] Azure TLVs: https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#getting-connection-information-using-tcp-proxy-v2