wasm: crashes when removing ":status" header in the response. #15487
Comments
|
There should be an issue for that already, but I cannot find it either. I recall that @asraa was working on Envoy-wide guards against misbehaving filters/plugins, including removing |
|
^ @asraa any comments? |
|
That's noted right here and it hasn't been fixed :( #14960 Could you confirm that this is where Envoy crashes? envoy/source/common/http/http2/codec_impl.cc Line 223 in d5e8634 |
|
Found the issue |
|
@asraa thanks! @mathetake we should probably fix this at the Wasm level anyway, not only to avoid the crash (since that's going to be fixed in #13756), but also to notify the plugin. The issue is that currently we return The other option is to simply ignore the bad headers update and log something at the error level to notify the user. Any thoughts? |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
Not stale. |
github-actions
bot
removed
the
stale
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
|
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
|
not stale |
|
#16745 I reworked the Envoy-wide solution |
… chain. (#16745) This is the rework of the previous PR (#15658). Additional Description: Previously, Envoy hasn't been guarded from the removal of critical response headers like :status. This happens when there's misbehaving filter chan, and especially this protection is important when users run their own extensions through Wasm. Resolves #13756 and ref: #15487. Testing: new integration tests Risk: low Signed-off-by: Takeshi Yoneda <[email protected]>
… chain. (envoyproxy#16745) This is the rework of the previous PR (envoyproxy#15658). Additional Description: Previously, Envoy hasn't been guarded from the removal of critical response headers like :status. This happens when there's misbehaving filter chan, and especially this protection is important when users run their own extensions through Wasm. Resolves envoyproxy#13756 and ref: envoyproxy#15487. Testing: new integration tests Risk: low Signed-off-by: Takeshi Yoneda <[email protected]>
Currently Envoy does not limit which headers can be modified from Wasm plugins, so if a plugin removes, for example, :status header from the response headers, then Envoy crashes. Ideally, we should verify the final headers in the Wasm plugin in Envoy. In any way, Envoy should not crash even when the processed headers from filters are invalid in terms of the "contents".
This is a potential security risk when we start running untrusted Wasm binaries. I think this might not be a Wasm specific issue, but rather a generic point we can improve to make Envoy protected against a crash path.
I guess there's already a similar GH issue, but I couldn't find. Thanks!
cc @PiotrSikora @lizan
The text was updated successfully, but these errors were encountered: