envoyproxy/envoy

Escape quotes in header fields of access logs

Open

#4 191 ouverte le 16 août 2018

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés)C++ (5 373 forks)batch import
enhancementhelp wanted

Métriques du dépôt

Stars
 (27 997 stars)
Métriques de merge PR
 (Merge moyen 8j) (378 PRs mergées en 30 j)

Description

By default, access log fields are delimited with quotes and spaces. This is customizable for listener access logs but not for admin access logs. However, it is very difficult to parse logs with such a format in a safe way, since externally controlled header values (e.g. User-Agent) may contain unescaped quotes and spaces. For example a normal access log entry might look something like:

[2018-08-14T23:08:23.803Z] "GET /server_info HTTP/1.1" 200 - 0 92 6 - "192.88.34.220" "curl/7.38.0" "-" "localhost:10000" "-"

however, by changing my user agent, I can easily make the entry look like:

[2018-08-14T23:08:23.803Z] "GET / HTTP/1.1" 200 - 0 4521 0 - "192.88.34.220" "USER_AGENT_I_WANT_YOU_TO_SEE" "AJ" "WAS" "HERE" "-" "localhost:10000" "-"

I believe I could do the same thing (inserting seemingly new tokens) by modifying other headers as well (e.g. X-ENVOY-ORIGINAL-PATH).

At that point, it can become very difficult to safely parse certain information out of the access logs (as there is no way to determine which fields were added by malicious headers).

It seems like escaping quote characters (") in headers before sending them to the access logs would mitigate this issue.

Relevant Links:

Default access log format: https://www.envoyproxy.io/docs/envoy/v1.5.0/configuration/access_log#default-format

Guide contributeur