Handle lists with and without spaces in XFF#3610
Conversation
Currently, `Utility::getLastAddressFromXFF()` only handles lists that use a comma plus a space as the separator. Per https://tools.ietf.org/html/rfc7239#section-7.1, spaces are allowed around commas — so we should handle that too. This fixes envoyproxy#3607. Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
|
@rgs1 we are going to merge the revert to try to get master into a good state after some issues. Can you potentially re-apply #3609 in this PR and then @alyssawilk can help review? |
|
@mattklein123 sure, but do we really need to revert #3609? it's generating valid XFF headers... |
|
It is, but when Envoys are paired together, it will no longer work correctly, and I'm sure this will break people in a mesh configuration (including Lyft). I think it's better to revert and reapply as a set. |
|
@mattklein123 ah true |
|
i'll add #3609 in a follow-up commit |
|
Having the utility fix in the same PR as the change to headers doesn't actually help if you don't roll everything out at once. I'd honestly be inclined to roll back #3609, check this in, and wait [a month | a full release] before reapplying given there's 0 urgency on removing the whitespace. Alternately we could call it out much more clearly in the release notes that you must replace your upstream Envoys (which allow whitespace and no-whitespace) before replacing downstream Envoys (which change how the header looks) but that seems more dicey. |
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
Either way this LGTM (modulo nit) - thanks for both debugging and sorting out a fix so quickly!
| xff_string = xff_string.substr(last_comma + seperator.size()); | ||
| } | ||
|
|
||
| // ignore the whitespace, since they are allowed in HTTP lists (see rfc7239) |
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
This is a good point. Sorry, didn't think about this very much when I mentioned to roll it together. Agre let's apply this first then wait a month or so for the other one. Can we open a tracking issue for that? |
|
|
||
| // Ignore the whitespace, since they are allowed in HTTP lists (see RFC7239#section-7.1). | ||
| xff_string = StringUtil::ltrim(xff_string); | ||
| xff_string = StringUtil::rtrim(xff_string); |
There was a problem hiding this comment.
Sorry, just noticed. Do we have a test that covers the need for rtrim?
There was a problem hiding this comment.
@mattklein123 no... only ltrim(). Lemme modify the case I added so that it has space at both sides...
There was a problem hiding this comment.
@mattklein123 is it fine if I use this test string which should exercise ltrim(), rtrim() and no trim():
"192.0.2.10, 192.0.2.1 ,10.0.0.1"
Or you rather have it broken up in subtests, and be explicit about what path i am exercising?
There was a problem hiding this comment.
i guess the above string with comments near each EXPECT call should be clear enough... Let me push what I have and lmk what you think.
There was a problem hiding this comment.
@mattklein123 hold it, my comments are in the wrong place, fixing...
There was a problem hiding this comment.
@mattklein123 should be good now, sorry about that!
Also, comment about which space trimming case is being tested. Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Comments were referring to the wrong test case. Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
|
|
||
| // No space trimming. | ||
| ret = Utility::getLastAddressFromXFF(request_headers, 2); | ||
| EXPECT_EQ(first_address, ret.address_->ip()->addressAsString()); |
There was a problem hiding this comment.
I think this test would have passed with the previous PR, because we assumed "X, Y" The problem is X,Y with no whitespace on either side.
Can we add one more address in this test with no whitespace before the comma on either side?
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
|
@alyssawilk added — thanks! |
|
@alyssawilk hmm, do we also need an integration test to check that xff is handled correctly from envoy to envoy (e.g.: something that would have caught the problem with 035a816)? |
|
I'd love that, but I don't think we have the ability to set up multi-Envoy integration tests. It's definitely on my list though! I think the best we can do today is an integration test for A,B,C (no whitespace) if you're up for it. |
|
Ah thanks @alyssawilk nice catch on the test. |
3 participants
Currently,
Utility::getLastAddressFromXFF()only handles lists thatuse a comma plus a space as the separator.
Per https://tools.ietf.org/html/rfc7239#section-7.1, spaces are allowed
around commas — so we should handle that too.
This fixes #3607.
Signed-off-by: Raul Gutierrez Segales rgs@pinterest.com