Envoy ASSERT() due to regex rewrite path string contains \r

[yanjunxiang-google]

It is observed that Envoy crash in ASSERT() due to regex rewrite path string contains invalid character '\r'.

We should prohibit null characters \0, \r, \n in the regex rewrite substitution string. This is well guarded in most other cases like RouteAction:prefix_rewrite, but is missing in RouteAction:regex_rewrite:substitution.

Signed-off-by: Yanjun Xiang yanjunxiang@google.com

Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #23448 was opened by yanjunxiang-google.

see: more, trace.

[yanjunxiang-google]

/assign @adisuissa

[yanjunxiang-google]

We are seeing an Envoy crash in ASSERT() with below trace:

==458==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000001ca (pc 0x7f053ef4f18b bp 0x7ffc30b6cc90 sp 0x7ffc30b6c990 T0)
  | SCARINESS: 10 (signal)
  | #0 0x7f053ef4f18b in raise /build/glibc-eX1tMB/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
  | #1 0x7f053ef2e858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7
  | #2 0x17a3409 in Envoy::UnionStringBaseEnvoy::Http::HeaderStringValidator::setCopy(char const*, unsigned int) envoy/common/union_string.h:173:5
  | #3 0x179ae7f in setCopy envoy/common/union_string.h:179:42
  | #4 0x179ae7f in Envoy::Http::TypedHeaderMapImplEnvoy::Http::RequestHeaderMap::setInline(Envoy::Http::CustomInlineHeaderRegistry::Handle<(Envoy::Http::CustomInlineHeaderRegistry::Type)0>, absl::string_view) /proc/self/cwd/source/common/http/header_map_impl.h:440:19
  | #5 0x17928ba in setPath /proc/self/cwd/source/common/http/header_map_impl.h:479:3
  | #6 0x17928ba in Envoy::Http::TestRequestHeaderMapImpl::setPath(absl::string_view) /proc/self/cwd/test/test_common/utility.h:1074:3
  | #7 0x369854f in Envoy::Router::RouteEntryImplBase::finalizePathHeader(Envoy::Http::RequestHeaderMap&, absl::string_view, bool) const /proc/self/cwd/source/common/router/config_impl.cc:941:11
  | #8 0x36abd49 in Envoy::Router::PathRouteEntryImpl::rewritePathHeader(Envoy::Http::RequestHeaderMap&, bool) const /proc/self/cwd/source/common/router/config_impl.cc:1529:3
  | #9 0x3694c3e in Envoy::Router::RouteEntryImplBase::finalizeRequestHeaders(Envoy::Http::RequestHeaderMap&, Envoy::StreamInfo::StreamInfo const&, bool) const /proc/self/cwd/source/common/router/config_impl.cc:834:5
  | #10 0x172194f in TestOneProtoInput /proc/self/cwd/test/common/router/route_fuzz_test.cc:156:28
  | #11 0x172194f in LLVMFuzzerTestOneInput /proc/self/cwd/test/common/router/route_fuzz_test.cc:139:1
  | #12 0x57c96ab in main
  | #13 0x7f053ef300b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
  | #14 0x1663ced in _start
 

And the configuration to trigger this is:

route {
cluster: ""
regex_rewrite {
pattern {
regex: "%"
}
substitution: "ty/envoy.\r$nigfig.rououte"
}
}

[yanjunxiang-google]

/assign @htuch

[htuch]

This is technically a breaking API change. I agree that \r in headers is invalid. Can you audit all the uses of RegexMatchAndSubstitute and figure out if HTTP_HEADER_VALUE is the right choice? I think some of them are paths, hosts and so on. It might turn out HTTP_HEADER_VALUE is sufficiently general to encompass them but I'm not sure, would be good to have a paper trail when making this kind of change.

Also, presumably we're only "crashing" in ASSERT mode, and this isn't a genuine security issue? Please clarify in the commit message.

[adisuissa]

Alternatively, the validation can be done when processing the config in RouteEntryImplBase.

[yanjunxiang-google]

Thanks for the comments!
There are six places using RegexMatchAndSubstitute:

1. envoy/api/envoy/config/route/v3/route_components.proto

   Line 821 in e0b5903

   type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2;

2. envoy/api/envoy/config/route/v3/route_components.proto

   Line 1109 in e0b5903

   type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32;

   
   3)

   envoy/api/envoy/config/route/v3/route_components.proto

   Line 1170 in e0b5903

   type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35;

envoy/api/envoy/config/route/v3/route_components.proto

Line 1706 in e0b5903

type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 9;

5)

envoy/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto

Line 78 in e0b5903

type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 6

6)

envoy/api/envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.proto

Line 67 in e0b5903

type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 4;

It looks to me all of them are trying to using the "substitution" string in the RegexMatchAndSubstitute to replace some parts of the HTTP header. Thus "substitution" should not contain '\r', '\n', '\0', which [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}] is trying to guard against.

Regarding the alternative to implement the logic in RouteEntryImplBase, I would think leverage the pgv is able to guard all the cases above. Also it's widely used, like:

envoy/api/envoy/config/route/v3/route_components.proto

Line 816 in e0b5903

string header_name = 1

or

envoy/api/envoy/config/route/v3/route_components.proto

Line 1076 in e0b5903

string prefix_rewrite = 5

Yeah, the crash only happens in ASSERT mode. Let me change the commit message. Also, it's triggered by incorrect Envoy configuration, which IIUC, can not be exploited by malicious client, thus I would think it's not a genuine security issue.

[adisuissa]

Can RegexMatchAndSubstitute be used by the unified matcher?
If so, it may be used as an extension for a non-header regex substitution.

[yanjunxiang-google]

That's a good question. I don't see it yet. The original commit for RegexMatchAndSubstitute is #10050, which just use it for RouteAction.

If in the future people want to use it as unified matcher, they are aware that NULL characters can not be in the "substitution". Otherwise, they have to add their own proto field.

[markdroth]

I don't think it's possible to use RegexMatchAndSubstitute as a matcher in the unified matching API, since the unified matching API separates matching from actions, and RegexMatchAndSubstitute combines the two. But @snowp can probably tell us for sure.

[adisuissa]

cc @snowp can you shed a light on whether RegexMatchAndSubstitute can be used as a matcher?
Generally speaking, is there a list of what types can be used in the unified matcher (both matchers and actions)?

[snowp]

As Mark said the unified matcher doesn't support any form of rewrite, it performs a stateless matching which results in an action, which then needs to be acted upon. There's certainly possibilities to make it support some kind of mutability or state propagation from the matcher, but it's not there today

Per https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/common/matcher/v3/matcher.proto#envoy-v3-api-msg-config-common-matcher-v3-matcher-matcherlist-predicate-singlepredicate there's either a value_match which uses a StringMatcher or a custom match which supports using a registered match extension like the ones listed in the docs

[htuch]

LGTM - can I get another pair of eyes from @envoyproxy/api-shepherds to verify this technically breaking change is safe as there was no contractually valid way to use these rejected values?

[adisuissa]

LGTM - can I get another pair of eyes from @envoyproxy/api-shepherds to verify this technically breaking change is safe as there was no contractually valid way to use these rejected values?

Per Snow's comment, and given that this type is only used for headers, I think this is a safe change.