Safe request access control #20260
Assignees
Labels
area/http
enhancement
Feature requests. Not bugs or questions.
no stalebot
Disables stalebot from closing an issue
Comments
yanavlasov
added
enhancement
yanavlasov
added
area/http
no stalebot
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
TL;DR; Provide ability for operators to configure safe access control based on URI path or other request headers that works correctly with specific back ends.
Background:
A collection of vulnerability reports against Istio and Envoy, such as CVE-2021-29492 demonstrate that standard compliant URI path normalization is not enough to ensure correctness of access control based on URI path (PBAC). Specifically correctness of PBAC depends on both intervening proxy and backend service observing the same URI path. While Envoy's path normalization is highly configurable, it is often difficult for operators to configure right options, or required options may be unsupported by Envoy.
A proposed solution, builds on extensible mechanism for validating request and response header maps, and provides extensions with header validation and path normalization, tailored for specific popular back-end servers.
List of back-end servers: TBD
Blocked by Issues:
The text was updated successfully, but these errors were encountered: