envoyproxy/envoy

Escape quotes in header fields of access logs

Open

#4,191 opened on Aug 16, 2018

View on GitHub
 (1 comment) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
enhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

By default, access log fields are delimited with quotes and spaces. This is customizable for listener access logs but not for admin access logs. However, it is very difficult to parse logs with such a format in a safe way, since externally controlled header values (e.g. User-Agent) may contain unescaped quotes and spaces. For example a normal access log entry might look something like:

[2018-08-14T23:08:23.803Z] "GET /server_info HTTP/1.1" 200 - 0 92 6 - "192.88.34.220" "curl/7.38.0" "-" "localhost:10000" "-"

however, by changing my user agent, I can easily make the entry look like:

[2018-08-14T23:08:23.803Z] "GET / HTTP/1.1" 200 - 0 4521 0 - "192.88.34.220" "USER_AGENT_I_WANT_YOU_TO_SEE" "AJ" "WAS" "HERE" "-" "localhost:10000" "-"

I believe I could do the same thing (inserting seemingly new tokens) by modifying other headers as well (e.g. X-ENVOY-ORIGINAL-PATH).

At that point, it can become very difficult to safely parse certain information out of the access logs (as there is no way to determine which fields were added by malicious headers).

It seems like escaping quote characters (") in headers before sending them to the access logs would mitigate this issue.

Relevant Links:

Default access log format: https://www.envoyproxy.io/docs/envoy/v1.5.0/configuration/access_log#default-format

Contributor guide