diff --git a/WORKSPACE b/WORKSPACE index 6492601eed1..68e052b6be2 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -38,10 +38,10 @@ bind( # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed. # # Note: this is needed by release builder to resolve envoy dep sha to tag. -# Commit date: 2020-01-20 -ENVOY_SHA = "f2f6943f8ec40e99ee5dbf2383bfe6014c6dc518" +# Commit date: 2021-02-19 +ENVOY_SHA = "b53730dbd9dbc51cf0166786482a6ccd38482248" -ENVOY_SHA256 = "15fb0cb8b8e751c1762c6153633282a7693bcb6c9d76d695523b6f287249d0a7" +ENVOY_SHA256 = "4993b302c0c0b7a550cb391c17a9dc6ed8e34eb017a7db714b4903a2ae4b7101" ENVOY_ORG = "envoyproxy" diff --git a/envoy.bazelrc b/envoy.bazelrc index faa93d0bff4..209f1180ff0 100644 --- a/envoy.bazelrc +++ b/envoy.bazelrc @@ -277,12 +277,20 @@ build:remote-ci --remote_cache=grpcs://remotebuildexecution.googleapis.com build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com # Fuzz builds + +# Shared fuzzing configuration. +build:fuzzing --define=ENVOY_CONFIG_ASAN=1 +build:fuzzing --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +build:fuzzing --config=libc++ + # Fuzzing without ASAN. This is useful for profiling fuzzers without any ASAN artifacts. +build:plain-fuzzer --config=fuzzing build:plain-fuzzer --define=FUZZING_ENGINE=libfuzzer -build:plain-fuzzer --define ENVOY_CONFIG_ASAN=1 +# The fuzzing rules provide their own instrumentation, but it is currently +# disabled due to bazelbuild/bazel#12888. Instead, we provide instrumentation at +# the top level through these options. build:plain-fuzzer --copt=-fsanitize=fuzzer-no-link build:plain-fuzzer --linkopt=-fsanitize=fuzzer-no-link -build:plain-fuzzer --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION build:asan-fuzzer --config=plain-fuzzer build:asan-fuzzer --config=asan @@ -290,6 +298,21 @@ build:asan-fuzzer --copt=-fno-omit-frame-pointer # Remove UBSAN halt_on_error to avoid crashing on protobuf errors. build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1 +build:oss-fuzz --config=fuzzing +build:oss-fuzz --define=FUZZING_ENGINE=oss-fuzz +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none +build:oss-fuzz --dynamic_mode=off +build:oss-fuzz --strip=never +build:oss-fuzz --copt=-fno-sanitize=vptr +build:oss-fuzz --linkopt=-fno-sanitize=vptr +build:oss-fuzz --define=tcmalloc=disabled +build:oss-fuzz --define=signal_trace=disabled +build:oss-fuzz --copt=-D_LIBCPP_DISABLE_DEPRECATION_WARNINGS +build:oss-fuzz --define=force_libcpp=enabled +build:oss-fuzz --linkopt=-lc++ +build:oss-fuzz --linkopt=-pthread + # Compile database generation config build:compdb --build_tag_filters=-nocompdb diff --git a/extensions/attributegen/plugin_test.cc b/extensions/attributegen/plugin_test.cc index 86db14dd8a6..611d746a34a 100644 --- a/extensions/attributegen/plugin_test.cc +++ b/extensions/attributegen/plugin_test.cc @@ -187,8 +187,8 @@ class WasmHttpFilterTest : public testing::TestWithParam { // This is synchronous, even though it happens thru a callback due to null // vm. Extensions::Common::Wasm::createWasm( - proto_config.config().vm_config(), plugin_, scope_, cluster_manager_, - init_manager_, dispatcher_, *api, lifecycle_notifier_, + proto_config.config().vm_config(), cr_config_, plugin_, scope_, + cluster_manager_, init_manager_, dispatcher_, *api, lifecycle_notifier_, remote_data_provider_, [this](WasmHandleSharedPtr wasm) { wasm_ = wasm; }, [](Wasm* wasm, const std::shared_ptr& plugin) { @@ -270,6 +270,7 @@ class WasmHttpFilterTest : public testing::TestWithParam { NiceMock local_info_; NiceMock lifecycle_notifier_; envoy::config::core::v3::Metadata listener_metadata_; + envoy::extensions::wasm::v3::CapabilityRestrictionConfig cr_config_; TestRoot* root_context_ = nullptr; Config::DataSource::RemoteAsyncDataProviderPtr remote_data_provider_; }; diff --git a/src/envoy/extensions/wasm/wasm.cc b/src/envoy/extensions/wasm/wasm.cc index b8f1164de30..548894d00c6 100644 --- a/src/envoy/extensions/wasm/wasm.cc +++ b/src/envoy/extensions/wasm/wasm.cc @@ -51,11 +51,12 @@ class IstioWasm : public Wasm { public: IstioWasm(absl::string_view runtime, absl::string_view vm_id, absl::string_view vm_configuration, absl::string_view vm_key, + proxy_wasm::AllowedCapabilitiesMap allowed_capabilities, const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager, Event::Dispatcher& dispatcher) - : Wasm(runtime, vm_id, vm_configuration, vm_key, scope, cluster_manager, - dispatcher) {} + : Wasm(runtime, vm_id, vm_configuration, vm_key, allowed_capabilities, + scope, cluster_manager, dispatcher) {} IstioWasm(std::shared_ptr other, Event::Dispatcher& dispatcher) : Wasm(other, dispatcher) {} ~IstioWasm() override = default; @@ -101,15 +102,23 @@ class IstioWasmExtension : public EnvoyWasm { }; WasmHandleExtensionFactory IstioWasmExtension::wasmFactory() { - return [](const VmConfig vm_config, const Stats::ScopeSharedPtr& scope, + return [](const VmConfig vm_config, + const CapabilityRestrictionConfig capability_restriction_config, + const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager, Event::Dispatcher& dispatcher, Server::ServerLifecycleNotifier& lifecycle_notifier, absl::string_view vm_key) -> WasmHandleBaseSharedPtr { - auto wasm = - std::make_shared(vm_config.runtime(), vm_config.vm_id(), - anyToBytes(vm_config.configuration()), - vm_key, scope, cluster_manager, dispatcher); + // TODO(rapilado): make this transformation in Proxy-Wasm C++ Host. + proxy_wasm::AllowedCapabilitiesMap allowed_capabilities; + for (auto& capability : + capability_restriction_config.allowed_capabilities()) { + allowed_capabilities[capability.first] = proxy_wasm::SanitizationConfig(); + } + auto wasm = std::make_shared( + vm_config.runtime(), vm_config.vm_id(), + anyToBytes(vm_config.configuration()), vm_key, allowed_capabilities, + scope, cluster_manager, dispatcher); wasm->initializeLifecycle(lifecycle_notifier); return std::static_pointer_cast( std::make_shared(std::move(wasm)));