envoyproxy/envoy

Escape quotes in header fields of access logs

Open

#4,191 建立於 2018年8月16日

在 GitHub 查看
 (1 留言) (0 反應) (0 負責人)C++ (5,373 fork)batch import
enhancementhelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

By default, access log fields are delimited with quotes and spaces. This is customizable for listener access logs but not for admin access logs. However, it is very difficult to parse logs with such a format in a safe way, since externally controlled header values (e.g. User-Agent) may contain unescaped quotes and spaces. For example a normal access log entry might look something like:

[2018-08-14T23:08:23.803Z] "GET /server_info HTTP/1.1" 200 - 0 92 6 - "192.88.34.220" "curl/7.38.0" "-" "localhost:10000" "-"

however, by changing my user agent, I can easily make the entry look like:

[2018-08-14T23:08:23.803Z] "GET / HTTP/1.1" 200 - 0 4521 0 - "192.88.34.220" "USER_AGENT_I_WANT_YOU_TO_SEE" "AJ" "WAS" "HERE" "-" "localhost:10000" "-"

I believe I could do the same thing (inserting seemingly new tokens) by modifying other headers as well (e.g. X-ENVOY-ORIGINAL-PATH).

At that point, it can become very difficult to safely parse certain information out of the access logs (as there is no way to determine which fields were added by malicious headers).

It seems like escaping quote characters (") in headers before sending them to the access logs would mitigate this issue.

Relevant Links:

Default access log format: https://www.envoyproxy.io/docs/envoy/v1.5.0/configuration/access_log#default-format

貢獻者指南