仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
By default, access log fields are delimited with quotes and spaces. This is customizable for listener access logs but not for admin access logs. However, it is very difficult to parse logs with such a format in a safe way, since externally controlled header values (e.g. User-Agent) may contain unescaped quotes and spaces. For example a normal access log entry might look something like:
[2018-08-14T23:08:23.803Z] "GET /server_info HTTP/1.1" 200 - 0 92 6 - "192.88.34.220" "curl/7.38.0" "-" "localhost:10000" "-"
however, by changing my user agent, I can easily make the entry look like:
[2018-08-14T23:08:23.803Z] "GET / HTTP/1.1" 200 - 0 4521 0 - "192.88.34.220" "USER_AGENT_I_WANT_YOU_TO_SEE" "AJ" "WAS" "HERE" "-" "localhost:10000" "-"
I believe I could do the same thing (inserting seemingly new tokens) by modifying other headers as well (e.g. X-ENVOY-ORIGINAL-PATH).
At that point, it can become very difficult to safely parse certain information out of the access logs (as there is no way to determine which fields were added by malicious headers).
It seems like escaping quote characters (") in headers before sending them to the access logs would mitigate this issue.
Relevant Links:
Default access log format: https://www.envoyproxy.io/docs/envoy/v1.5.0/configuration/access_log#default-format