Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintainable path normalization library #6588

Closed
htuch opened this issue Apr 15, 2019 · 15 comments · Fixed by #12023
Closed

Maintainable path normalization library #6588

htuch opened this issue Apr 15, 2019 · 15 comments · Fixed by #12023
Labels
area/security help wanted Needs help! tech debt

Comments

@htuch
Copy link
Member

htuch commented Apr 15, 2019
edited
Loading

Following up on the fix for CVE-2019-9900, where we snapshotted, minified and adapted parts of the Chromium URL library to support path normalization, we should figure out how to cleanly consume Chromium URL in Envoy or switch to another lighter weight path normalization library.

Action item for CVE-2019-9901
@giorgiozoppi
Copy link

giorgiozoppi commented May 24, 2019
edited
Loading

Wanna help where should i look at?

@htuch
Copy link
Member Author

htuch commented May 28, 2019

@giorgiozoppi I think the first step here is to figure out if we want a tighter Chromium integration for the URL library or go another path. @danzh2010 @wu-bin do you have any thoughts on where our Chromium URL consumption is going?

@giorgiozoppi
Copy link

giorgiozoppi commented Jun 1, 2019
edited
Loading

@htuch I will dig into the chromium_url meanwhile.

@wu-bin
Copy link
Contributor

wu-bin commented Jun 3, 2019

@htuch : Per @vasilvv, QUICHE only uses googleurl in some client utility class, not in the core code, so although we'd like to port googleurl into QUICHE, we can't really give a specific timeframe for that to happen.

@danzh2010 danzh2010 mentioned this issue Jun 5, 2019
Merged
@giorgiozoppi
Copy link

Options:

  1. rewrite a tiny self container url normalization using RFC 3986
  2. use googleurl.
    I would like to help in porting whatever urlnormalization library to quiche.

@danzh2010
Copy link
Contributor

I just into a usage of url normalization in quiche core code actually: https://cs.chromium.org/chromium/src/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc?rcl=68d15a821c88b0e85c345d1393643a25322ce608&l=858
and
https://cs.chromium.org/chromium/src/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc?rcl=68d15a821c88b0e85c345d1393643a25322ce608&l=452

These are the only two places where we probably need googleurl in core code. But having a light-weight home-grown library isn't a bad idea either.

@htuch
Copy link
Member Author

htuch commented Jun 5, 2019

The danger here is that it's easy to make mistakes in a homegrown library with significant security implications. What I would like to see if we go down this path is:

  1. Homegrown library does basically the same things as Chromium URL; we don't reinvent how normalization works, and a code review would be easy to see the correspondence between the two. It should however be a subset; we want to shrink to only the RFC required normalization.
  2. We add to our tests for this library all the Chromium URL tests.
  3. We write a fuzzer for this library, that not only tests for badness re: crashing but also asserts correctness properties.

I think if we have 1-3, I'd feel a little better. We still won't be picking up any security updates from Chromium URL, but maybe the smaller/simpler surface will reduce the need. CC @yanavlasov @asraa

@giorgiozoppi
Copy link

@htuch @yanavlasov @asraa. We could proceed with the same set of tests and add further tests , rippoff the things we need from chromium url, create a small test library and the game is over. If it is small it should be not difficult to mantain.

@yanavlasov
Copy link
Contributor

After looking at chromuim URL I think this reasonable approach rather than trying to depend on googleurl.

@danzh2010
Copy link
Contributor

Below are the functions quiche needs from GURL:
bool is_valid() const;
bool GURL::SchemeIsHTTPOrHTTPS() const;
bool has_username() const;
bool has_password() const;
bool has_path() const;
base::StringPiece path_piece() const;
bool has_query() const;
bool has_ref() const;
void InitCanonical(base::BasicStringPiece input_spec,
bool trim_path_end);

@htuch
Copy link
Member Author

htuch commented Jul 9, 2019

@danzh2010 do you have a plan-of-record for obtaining these? This is essentially what we pulled from Chromium URL:

envoy/source/common/chromium_url/url_canon_path.cc

Line 412 in 8cef5e3

bool CanonicalizePath(const char* spec, const Component& path, CanonOutput* output,

@jmarantz
Copy link
Contributor

https://quiche.googlesource.com/googleurl/ and Envoy links that in as part of Quic, so presumably it can use the googleurl library from there.

@moderation
Copy link
Contributor

Deprecation of http-parser is relevant here - #5155 (comment)

@htuch htuch mentioned this issue Oct 27, 2019
Closed
@twghu twghu mentioned this issue Jan 23, 2020
Open
@danzh2010 danzh2010 mentioned this issue Mar 24, 2020
Merged
@htuch
Copy link
Member Author

htuch commented Mar 30, 2020

From #10488 (comment):

As to release policy, this is directory is a partial copy of https://cs.chromium.org/chromium/src/url/ and https://cs.chromium.org/chromium/src/base/. Chromium has its own versioned release. Right now this directory is an arbitrary snap of that. But in the future, we can definitely use the same cut as Chrome use, like M80. Their security bugs can be tracked at https://bugs.chromium.org/p/chromium/issues/list?q=Type%3DBug-Security, but not all of them are relevant to url parsing. A tracked change between versions can be found here: https://chromium.googlesource.com/chromium/src/+log/82.0.4085.12..83.0.4093.3?pretty=fuller&n=10000

I just push all the info here. But we should definitely develop a plan about how to update and monitor this repo. As QUICHE is not the only user of this repo (we only use it for toy client), I think other users will be more alert and watchful to any security bugs than us. I would be happy to discuss and work out a plan for that.

We should try and put in place a sustainable policy around repo management here before closing out this ticket.

htuch pushed a commit that referenced this issue Mar 30, 2020
@danzh2010
Add googleurl as external dependency (#10488)
aa582de 
Add googleurl as external dependency.

Risk Level: low, not in use.
Part of #6588
Signed-off-by: Dan Zhang <[email protected]>
@htuch
Copy link
Member Author

htuch commented Jun 19, 2020

#10599 is a reasonable chunk of the work to get us here.

@dio dio mentioned this issue Jul 10, 2020
Merged
htuch pushed a commit that referenced this issue Jul 10, 2020
@dio
build: Remove chromium_url (#12023)
d828958 
This removes chromium_url in favor of GURL.

Risk Level: Low
Testing: Existing tests
Docs Changes: N/A
Release Notes: N/A

Fixes: #6588

Signed-off-by: Dhi Aurrahman <[email protected]>
scheler pushed a commit to scheler/envoy that referenced this issue Aug 4, 2020
@dio
build: Remove chromium_url (envoyproxy#12023)
4369125 
This removes chromium_url in favor of GURL.

Risk Level: Low
Testing: Existing tests
Docs Changes: N/A
Release Notes: N/A

Fixes: envoyproxy#6588

Signed-off-by: Dhi Aurrahman <[email protected]>
Signed-off-by: scheler <[email protected]>
@asraa asraa mentioned this issue Mar 3, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security help wanted Needs help! tech debt
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: Remove chromium_url
7 participants
@moderation @jmarantz @yanavlasov @htuch @danzh2010 @giorgiozoppi @wu-bin