istio · istio-testing · Feb 19, 2021 · Feb 19, 2021 · Feb 19, 2021 · PiotrSikora
@@ -38,10 +38,10 @@ bind(
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
 # Note: this is needed by release builder to resolve envoy dep sha to tag.
-# Commit date: 2020-01-20
-ENVOY_SHA = "f2f6943f8ec40e99ee5dbf2383bfe6014c6dc518"
+# Commit date: 2021-02-19
+ENVOY_SHA = "b53730dbd9dbc51cf0166786482a6ccd38482248"
 
-ENVOY_SHA256 = "15fb0cb8b8e751c1762c6153633282a7693bcb6c9d76d695523b6f287249d0a7"
+ENVOY_SHA256 = "4993b302c0c0b7a550cb391c17a9dc6ed8e34eb017a7db714b4903a2ae4b7101"
 
 ENVOY_ORG = "envoyproxy"
 

@@ -277,19 +277,42 @@ build:remote-ci --remote_cache=grpcs://remotebuildexecution.googleapis.com
 build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com
 
 # Fuzz builds
+
+# Shared fuzzing configuration.
+build:fuzzing --define=ENVOY_CONFIG_ASAN=1
+build:fuzzing --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+build:fuzzing --config=libc++
+
 # Fuzzing without ASAN. This is useful for profiling fuzzers without any ASAN artifacts.
+build:plain-fuzzer --config=fuzzing
 build:plain-fuzzer --define=FUZZING_ENGINE=libfuzzer
-build:plain-fuzzer --define ENVOY_CONFIG_ASAN=1
+# The fuzzing rules provide their own instrumentation, but it is currently
+# disabled due to bazelbuild/bazel#12888. Instead, we provide instrumentation at
+# the top level through these options.
 build:plain-fuzzer --copt=-fsanitize=fuzzer-no-link
 build:plain-fuzzer --linkopt=-fsanitize=fuzzer-no-link
-build:plain-fuzzer --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 
 build:asan-fuzzer --config=plain-fuzzer
 build:asan-fuzzer --config=asan
 build:asan-fuzzer --copt=-fno-omit-frame-pointer
 # Remove UBSAN halt_on_error to avoid crashing on protobuf errors.
 build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1
 
+build:oss-fuzz --config=fuzzing
+build:oss-fuzz --define=FUZZING_ENGINE=oss-fuzz
+build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz
+build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none
+build:oss-fuzz --dynamic_mode=off
+build:oss-fuzz --strip=never
+build:oss-fuzz --copt=-fno-sanitize=vptr
+build:oss-fuzz --linkopt=-fno-sanitize=vptr
+build:oss-fuzz --define=tcmalloc=disabled
+build:oss-fuzz --define=signal_trace=disabled
+build:oss-fuzz --copt=-D_LIBCPP_DISABLE_DEPRECATION_WARNINGS
+build:oss-fuzz --define=force_libcpp=enabled
+build:oss-fuzz --linkopt=-lc++
+build:oss-fuzz --linkopt=-pthread
+
 # Compile database generation config
 build:compdb --build_tag_filters=-nocompdb
 

@@ -187,8 +187,8 @@ class WasmHttpFilterTest : public testing::TestWithParam<TestParams> {
     // This is synchronous, even though it happens thru a callback due to null
     // vm.
     Extensions::Common::Wasm::createWasm(
-        proto_config.config().vm_config(), plugin_, scope_, cluster_manager_,
-        init_manager_, dispatcher_, *api, lifecycle_notifier_,
+        proto_config.config().vm_config(), cr_config_, plugin_, scope_,
+        cluster_manager_, init_manager_, dispatcher_, *api, lifecycle_notifier_,
         remote_data_provider_,
         [this](WasmHandleSharedPtr wasm) { wasm_ = wasm; },
         [](Wasm* wasm, const std::shared_ptr<Common::Wasm::Plugin>& plugin) {
@@ -270,6 +270,7 @@ class WasmHttpFilterTest : public testing::TestWithParam<TestParams> {
   NiceMock<LocalInfo::MockLocalInfo> local_info_;
   NiceMock<Server::MockServerLifecycleNotifier> lifecycle_notifier_;
   envoy::config::core::v3::Metadata listener_metadata_;
+  envoy::extensions::wasm::v3::CapabilityRestrictionConfig cr_config_;
   TestRoot* root_context_ = nullptr;
   Config::DataSource::RemoteAsyncDataProviderPtr remote_data_provider_;
 };

@@ -51,11 +51,12 @@ class IstioWasm : public Wasm {
  public:
   IstioWasm(absl::string_view runtime, absl::string_view vm_id,
             absl::string_view vm_configuration, absl::string_view vm_key,
+            proxy_wasm::AllowedCapabilitiesMap allowed_capabilities,
             const Stats::ScopeSharedPtr& scope,
             Upstream::ClusterManager& cluster_manager,
             Event::Dispatcher& dispatcher)
-      : Wasm(runtime, vm_id, vm_configuration, vm_key, scope, cluster_manager,
-             dispatcher) {}
+      : Wasm(runtime, vm_id, vm_configuration, vm_key, allowed_capabilities,
+             scope, cluster_manager, dispatcher) {}
   IstioWasm(std::shared_ptr<WasmHandle> other, Event::Dispatcher& dispatcher)
       : Wasm(other, dispatcher) {}
   ~IstioWasm() override = default;
@@ -101,15 +102,23 @@ class IstioWasmExtension : public EnvoyWasm {
 };
 
 WasmHandleExtensionFactory IstioWasmExtension::wasmFactory() {
-  return [](const VmConfig vm_config, const Stats::ScopeSharedPtr& scope,
+  return [](const VmConfig vm_config,
+            const CapabilityRestrictionConfig capability_restriction_config,
+            const Stats::ScopeSharedPtr& scope,
             Upstream::ClusterManager& cluster_manager,
             Event::Dispatcher& dispatcher,
             Server::ServerLifecycleNotifier& lifecycle_notifier,
             absl::string_view vm_key) -> WasmHandleBaseSharedPtr {
-    auto wasm =
-        std::make_shared<IstioWasm>(vm_config.runtime(), vm_config.vm_id(),
-                                    anyToBytes(vm_config.configuration()),
-                                    vm_key, scope, cluster_manager, dispatcher);
+    // TODO(rapilado): make this transformation in Proxy-Wasm C++ Host.
+    proxy_wasm::AllowedCapabilitiesMap allowed_capabilities;
+    for (auto& capability :
+         capability_restriction_config.allowed_capabilities()) {
+      allowed_capabilities[capability.first] = proxy_wasm::SanitizationConfig();
+    }
+    auto wasm = std::make_shared<IstioWasm>(
+        vm_config.runtime(), vm_config.vm_id(),
+        anyToBytes(vm_config.configuration()), vm_key, allowed_capabilities,
+        scope, cluster_manager, dispatcher);
     wasm->initializeLifecycle(lifecycle_notifier);
     return std::static_pointer_cast<WasmHandleBase>(
         std::make_shared<WasmHandle>(std::move(wasm)));