http: stream error on invalid HTTP messaging for HTTP/1

api/envoy/config/core/v3/protocol.proto

@@ -100,7 +100,7 @@ message HttpProtocolOptions {
   HeadersWithUnderscoresAction headers_with_underscores_action = 5;
 }
 
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message Http1ProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.core.Http1ProtocolOptions";
@@ -157,6 +157,11 @@ message Http1ProtocolOptions {
   //   - Not a response to a HEAD request.
   //   - The content length header is not present.
   bool enable_trailers = 5;
+
+  // Allows invalid HTTP messaging. When this option is disabled (default), then Envoy will terminate
+  // HTTP/1.1 connections upon receiving an invalid HTTP message. This overrides any HCM :ref:`stream_error_on_invalid_http_messaging
+  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`
+  google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 6;
 }
 
 // [#next-free-field: 15]

include/envoy/http/codec.h

@@ -142,6 +142,12 @@ class ResponseEncoder : public virtual StreamEncoder {
    * @param trailers supplies the trailers to encode.
    */
   virtual void encodeTrailers(const ResponseTrailerMap& trailers) PURE;
+
+  /**
+   * Indicates whether invalid HTTP messaging should be handled with a stream error or a connection
+   * error.
+   */
+  virtual absl::optional<bool> streamErrorOnInvalidHttpMessage() const PURE;
 };
 
 /**
@@ -388,6 +394,8 @@ struct Http1Settings {
 
   // How header keys should be formatted when serializing HTTP/1.1 headers.
   HeaderKeyFormat header_key_format_{HeaderKeyFormat::Default};
+
+  absl::optional<bool> stream_error_on_invalid_http_message_{};
 };
 
 /**

source/common/http/conn_manager_impl.cc

@@ -1,5 +1,3 @@
-#include "common/http/conn_manager_impl.h"
-
 #include <cstdint>
 #include <functional>
 #include <list>
@@ -27,6 +25,7 @@
 #include "common/common/scope_tracker.h"
 #include "common/common/utility.h"
 #include "common/http/codes.h"
+#include "common/http/conn_manager_impl.h"
 #include "common/http/conn_manager_utility.h"
 #include "common/http/exception.h"
 #include "common/http/header_map_impl.h"
@@ -1524,8 +1523,10 @@ void ConnectionManagerImpl::ActiveStream::sendLocalReply(
   // The BadRequest error code indicates there has been a messaging error.
   if (Runtime::runtimeFeatureEnabled(
           "envoy.reloadable_features.hcm_stream_error_on_invalid_message") &&
-      !connection_manager_.config_.streamErrorOnInvalidHttpMessaging() &&
-      code == Http::Code::BadRequest && connection_manager_.codec_->protocol() < Protocol::Http2) {
+      code == Http::Code::BadRequest && connection_manager_.codec_->protocol() < Protocol::Http2 &&
+      !Utility::streamErrorOnInvalidHttpMessage(
+          connection_manager_.config_.streamErrorOnInvalidHttpMessaging(),
+          response_encoder_->streamErrorOnInvalidHttpMessage())) {
     state_.saw_connection_close_ = true;
   }
 

source/common/http/http1/codec_impl.h

@@ -123,8 +123,11 @@ class StreamEncoderImpl : public virtual StreamEncoder,
  */
 class ResponseEncoderImpl : public StreamEncoderImpl, public ResponseEncoder {
 public:
-  ResponseEncoderImpl(ConnectionImpl& connection, HeaderKeyFormatter* header_key_formatter)
-      : StreamEncoderImpl(connection, header_key_formatter) {}
+  ResponseEncoderImpl(ConnectionImpl& connection, HeaderKeyFormatter* header_key_formatter,
+                      absl::optional<bool>& stream_error_on_invalid_http_message)
+      : StreamEncoderImpl(connection, header_key_formatter) {
+    stream_error_on_invalid_http_message_ = stream_error_on_invalid_http_message;
+  }
 
   bool startedResponse() { return started_response_; }
 
@@ -133,8 +136,13 @@ class ResponseEncoderImpl : public StreamEncoderImpl, public ResponseEncoder {
   void encodeHeaders(const ResponseHeaderMap& headers, bool end_stream) override;
   void encodeTrailers(const ResponseTrailerMap& trailers) override { encodeTrailersBase(trailers); }
 
+  absl::optional<bool> streamErrorOnInvalidHttpMessage() const override {
+    return stream_error_on_invalid_http_message_;
+  }
+
 private:
   bool started_response_{};
+  absl::optional<bool> stream_error_on_invalid_http_message_;
 };
 
 /**
@@ -432,8 +440,9 @@ class ServerConnectionImpl : public ServerConnection, public ConnectionImpl {
    * An active HTTP/1.1 request.
    */
   struct ActiveRequest {
-    ActiveRequest(ConnectionImpl& connection, HeaderKeyFormatter* header_key_formatter)
-        : response_encoder_(connection, header_key_formatter) {}
+    ActiveRequest(ServerConnectionImpl& connection, HeaderKeyFormatter* header_key_formatter)
+        : response_encoder_(connection, header_key_formatter,
+                            connection.codec_settings_.stream_error_on_invalid_http_message_) {}
 
     HeaderString request_url_;
     RequestDecoder* request_decoder_{};

source/common/http/http1/codec_impl_legacy.h

@@ -136,8 +136,13 @@ class ResponseEncoderImpl : public StreamEncoderImpl, public ResponseEncoder {
   void encodeHeaders(const ResponseHeaderMap& headers, bool end_stream) override;
   void encodeTrailers(const ResponseTrailerMap& trailers) override { encodeTrailersBase(trailers); }
 
+  absl::optional<bool> streamErrorOnInvalidHttpMessage() const override {
+    return stream_error_on_invalid_http_message_;
+  }
+
 private:
   bool started_response_{};
+  absl::optional<bool> stream_error_on_invalid_http_message_;
 };
 
 /**

source/common/http/http2/codec_impl.h

@@ -349,7 +349,9 @@ class ConnectionImpl : public virtual Connection, protected Logger::Loggable<Log
    */
   struct ServerStreamImpl : public StreamImpl, public ResponseEncoder {
     ServerStreamImpl(ConnectionImpl& parent, uint32_t buffer_limit)
-        : StreamImpl(parent, buffer_limit), headers_or_trailers_(RequestHeaderMapImpl::create()) {}
+        : StreamImpl(parent, buffer_limit), headers_or_trailers_(RequestHeaderMapImpl::create()) {
+      stream_error_on_invalid_http_message_ = parent.stream_error_on_invalid_http_messaging_;
+    }
 
     // StreamImpl
     void submitHeaders(const std::vector<nghttp2_nv>& final_headers,
@@ -381,6 +383,11 @@ class ConnectionImpl : public virtual Connection, protected Logger::Loggable<Log
 
     RequestDecoder* request_decoder_{};
     absl::variant<RequestHeaderMapPtr, RequestTrailerMapPtr> headers_or_trailers_;
+    absl::optional<bool> stream_error_on_invalid_http_message_;
+
+    absl::optional<bool> streamErrorOnInvalidHttpMessage() const override {
+      return stream_error_on_invalid_http_message_;
+    }
   };
 
   using ServerStreamImplPtr = std::unique_ptr<ServerStreamImpl>;

source/common/http/http2/codec_impl_legacy.h

@@ -350,7 +350,9 @@ class ConnectionImpl : public virtual Connection, protected Logger::Loggable<Log
    */
   struct ServerStreamImpl : public StreamImpl, public ResponseEncoder {
     ServerStreamImpl(ConnectionImpl& parent, uint32_t buffer_limit)
-        : StreamImpl(parent, buffer_limit), headers_or_trailers_(RequestHeaderMapImpl::create()) {}
+        : StreamImpl(parent, buffer_limit), headers_or_trailers_(RequestHeaderMapImpl::create()) {
+      stream_error_on_invalid_http_message_ = parent.stream_error_on_invalid_http_messaging_;
+    }
 
     // StreamImpl
     void submitHeaders(const std::vector<nghttp2_nv>& final_headers,
@@ -382,6 +384,11 @@ class ConnectionImpl : public virtual Connection, protected Logger::Loggable<Log
 
     RequestDecoder* request_decoder_{};
     absl::variant<RequestHeaderMapPtr, RequestTrailerMapPtr> headers_or_trailers_;
+    absl::optional<bool> stream_error_on_invalid_http_message_;
+
+    absl::optional<bool> streamErrorOnInvalidHttpMessage() const override {
+      return stream_error_on_invalid_http_message_;
+    }
   };
 
   using ServerStreamImplPtr = std::unique_ptr<ServerStreamImpl>;

source/common/http/utility.cc

@@ -1,5 +1,3 @@
-#include "common/http/utility.h"
-
 #include <cstdint>
 #include <string>
 #include <vector>
@@ -19,6 +17,7 @@
 #include "common/http/header_map_impl.h"
 #include "common/http/headers.h"
 #include "common/http/message_impl.h"
+#include "common/http/utility.h"
 #include "common/network/utility.h"
 #include "common/protobuf/utility.h"
 #include "common/runtime/runtime_features.h"
@@ -410,9 +409,24 @@ Utility::parseHttp1Settings(const envoy::config::core::v3::Http1ProtocolOptions&
     ret.header_key_format_ = Http1Settings::HeaderKeyFormat::Default;
   }
 
+  if (config.has_override_stream_error_on_invalid_http_message()) {
+    ret.stream_error_on_invalid_http_message_ =
+        config.override_stream_error_on_invalid_http_message().value();
+  }
+
   return ret;
 }
 
+bool Utility::streamErrorOnInvalidHttpMessage(
+    bool hcm_stream_error_on_invalid_http_message,
+    const absl::optional<bool>& override_stream_error_on_invalid_http_message) {
+  if (override_stream_error_on_invalid_http_message.has_value()) {
+    return override_stream_error_on_invalid_http_message.value();
+  } else {
+    return hcm_stream_error_on_invalid_http_message;
+  }
+}
+
 void Utility::sendLocalReply(const bool& is_reset, StreamDecoderFilterCallbacks& callbacks,
                              const LocalReplyData& local_reply_data) {
   sendLocalReply(

source/common/http/utility.h

@@ -269,6 +269,10 @@ bool isWebSocketUpgradeRequest(const RequestHeaderMap& headers);
  */
 Http1Settings parseHttp1Settings(const envoy::config::core::v3::Http1ProtocolOptions& config);
 
+bool streamErrorOnInvalidHttpMessage(
+    const bool hcm_stream_error_on_invalid_http_message,
+    const absl::optional<bool>& override_stream_error_on_invalid_http_message);
+
 struct EncodeFunctions {
   // Function to rewrite locally generated response.
   std::function<void(ResponseHeaderMap& response_headers, Code& code, std::string& body,

source/extensions/filters/network/http_connection_manager/config.cc

@@ -1,5 +1,3 @@
-#include "extensions/filters/network/http_connection_manager/config.h"
-
 #include <chrono>
 #include <memory>
 #include <string>
@@ -35,6 +33,8 @@
 #include "common/tracing/http_tracer_config_impl.h"
 #include "common/tracing/http_tracer_manager_impl.h"
 
+#include "extensions/filters/network/http_connection_manager/config.h"
+
 namespace Envoy {
 namespace Extensions {
 namespace NetworkFilters {