envoyproxy/envoy

Enable base64/other UTF-8 encoding of non-UTF-8 proxy protocol TLVs

Open

#32,430 opened on 2024年2月15日

GitHub で見る
 (5 comments) (2 reactions) (0 assignees)C++ (5,373 forks)batch import
area/proxy_protoenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (平均マージ 8d) (30d で 378 merged PRs)

説明

Title: Enable base64/other UTF-8 encoding of non-UTF-8 proxy protocol TLVs

Description: The proxy protocol filter can write metadata derived from proxy protocol TLVs that isn't UTF-8, as disclosed in this security advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6. The fix for this was to sanitize non-UTF-8 binary TLVs and replace non-UTF-8 characters with !. However, there's no requirement for proxy protocol TLVs to be UTF-8 in the first place—any binary vector is valid.

For example, Azure TLVs are encoded as little-endian uint32s in the TLV, which can produce invalid UTF-8. In this case, sanitizing the UTF-8 solves the security issue but does so in a lossy way that prevents us from decoding useful information from the TLV for purposes such as allowing cloud traffic based on private link ID.

We'd like to add a flag in the Proxy Protocol filter that causes the filter to base64 encode the TLV before passing it on further into filter state/filter metadata. This would allow us to pass on all binary TLVs without lossy replacements.

I'm happy to contribute the change to Envoy; it would likely involve a small API change.

[optional Relevant Links:] Azure TLVs: https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#getting-connection-information-using-tcp-proxy-v2

コントリビューターガイド