Sanitize headers nominated by the Connection header

[abaptiste]

Description: Sanitize headers nominated by the Connection header

Risk Level: Medium
Testing: Added several test cases to verify the header manipulation. Also executed bazel test //test/...
Docs Changes: N/A
Release Notes: N/A
Fixes: #8623

[yanavlasov]

Missing const

[abaptiste]

Would that mean that strict_header_validation_ is also missing a const?

[yanavlasov]

yes, thanks for fixing this as well.

[yanavlasov]

Nit: I would create a named constant for 10

[yanavlasov]

Note that the 'header_to_remove' is not used anywhere other than to initialize lcs_header_to_remove. To eliminate memory allocation here, you can just directly use std::string(token_sv) in the lcs_header_to_remove initialization.

[abaptiste]

Yep. With the multiple refactors I missed this.

[yanavlasov]

The header names are lowercase already. You can simplify this by making it lcs_header_to_remove == Http::Headers::get().Connection

[yanavlasov]

Same as above and other instances of header name comparison below.

[yanavlasov]

You can skip this step and just use nominated_header->value().getStringView() below.

[yanavlasov]

Typo in variable name

[abaptiste]

I thought I fixed this. I will double check.

[yanavlasov]

This may need a log message. Because form the log message printed by the caller it would be unclear why sanitizeConnectionHeader failed.

[abaptiste]

Certainly

[yanavlasov]

I'll defer to other reviewers to see this check is enough. It does not account for a weird edge case where a header name contains the "trailers" keyword. I thought about it more and I think your original version using StrSplit in the for range loop was correct. The StrSplit in the for range loop does not cause memory allocation and with the length check it would be safe. If the find check is deemed to be insufficient you should use check for the trailers keyword using your original method. Sorry abot flip-flopping on this one.

[abaptiste]

This check should only execute if the header itself is "TE". I removed the tokenization since it was expensive (per a comment on the old PR). In this change, if the header is "TE" and we find "trailers" and other values (there should be a check for whether a comma exists in the header value), then we would replace the existing value of TE: whatever, and, trailers with just TE: trailers.

There was a second commit where I fixed the variable spelling error and added this check. In any case, I'm open to what others would suggest here.

[yanavlasov]

Thanks, the change looks good. Just one last little thing you missed.

[yanavlasov]

One more instance of header comparison.

[abaptiste]

OK, let me work on this

[yanavlasov]

Look awesome, thanks for bearing with me. Just a couple of minor changes, please.

[yanavlasov]

Ah, yes ConnectionValues are std::string not LowerCaseString. Conversion from std::string to LowerCaseString may cause heap allocations. For the maximum of 10 tokens this part will do 40 allocations, copies and lower case conversions. We know that ConnectionValues are lowercase. I think a better approach would be to use (lcs_header_to_remove.get() == cv.Close) pattern, in this way a per iteration work is avoided.

[yanavlasov]

Excellent way to avoid needless clear and copy.

[yanavlasov]

The more I think about it, the more I agree that your original approach of looking for the "trailers" keyword was the correct one. This will fail if request has the "TE: TRAILERS" header which is allowed by the standard (values are case insensitive) and TE would be removed. It will also keep the header if request has the "TE: myabusivetrailersencoding", which I'm certain someone would figure out how to abuse. I think this should go back to the range for loop over the split nominated_header_value_sv and do the trim and lower case conversion before comparing to the "trailers" keyword. Sorry about taking your time with going back and forth on this one.

[abaptiste]

Your example is valid. I updated the code and added a test case that exercises this condition.

[yanavlasov]

It is very close. It can be cleaned up a bit more by removing the need for the tokens_to_remove map. Note that the condition for keeping the TE header is the presence of the "trailers" token. You can do the following:

1. leave the keep_header unchanged at the beginning of the loop
2. reverse the if statement condition inside the loop, so it it is true when the header_sv == "trailers"
3. inside the if statement set the keep_header and "break" out of the loop, since we do not care to look at the rest of the tokens
   After the loop, check if TE header has to be kept and if so set its value to "trailers". With this change you can remove the if statement below at line 484 entirely.
   This avoids the overhead of the building the hash map and calling the "removeTokens" method.

[yanavlasov]

Thank you for making this change.

[alyssawilk]

Looking great! here's some comments from my side

[alyssawilk]

can you add release notes at docs/root/intro/version_history.rst including the flag to flip to revert to prior behavior?

[abaptiste]

Sure thing!

[alyssawilk]

can we use StringUtil::splitToken, which auto-trims, and also allows removing empty headers?

[alyssawilk]

can we comment for posterity why we disallow these? If it's in the spec, we can link. If we just think it's high risk we can say that too.

[alyssawilk]

Ping on this one?

[alyssawilk]

should we trace log this as well for consistency?

[abaptiste]

Yep. Added a trace log here

[alyssawilk]

here I assume we don't want to use StringUtil::caseFindToken because it doesn't allow the limitation.
I think that's the right call just because while we could refactor to pass in MAX_ALLOWED_TE_VALUE_SIZE it'd result in complicated return values?
I'd still use StringUtil::splitToken though.

[alyssawilk]

I believe setCopy implicitly clears

[abaptiste]

I will remove the clear call

[alyssawilk]

does removeTokens remove empty fields?
Maybe a unit test for "foo, ,bar" and removing foo and bar?

[alyssawilk]

I think you can revert this change?

[abaptiste]

Yep, will clean this up.

[abaptiste]

/azp run envoy-macos

[azure-pipelines]

Commenter does not have sufficient privileges for PR 8862 in repo envoyproxy/envoy

[alyssawilk]

Two quick thoughts, and I owe you a final pass. As I'm out tomorrow and at EnvoyCon next week it may be laggy - sorry in advance!

[alyssawilk]

mind moving this down? we try for alphabetic order here

[abaptiste]

Will do.

[abaptiste]

Regarding the X-Forwarded for headers. I added a comment below the existing one. I will replace the lines on L445-446 with the updated comment.

See you at EnvoyCon! :)

[alyssawilk]

Ping on this one?

[alyssawilk]

one final nit, and one optional, and you're good to go!

[alyssawilk]

Sorry, but can you move this to above line 12 (http: support")?
Also I think backticks around the runtime name is standard

[abaptiste]

ugh, vim sort failed me :( Will fix ... again.

[alyssawilk]

You know, it only occurs to me now, but we should probably leave one of these tests here to verify connection sanitization works end to end, and do the rest as unit tests of the new function in test/common/http/utility_test.cc
I'm going to say this is 100% optional, since you've done all the work and I forgot to call it out like 8 reviews ago, but if you want to earn alyssawilk brownie points (probably not actually redeemable for brownies) it would be cheaper/faster for CI.

[abaptiste]

lol :) It's a deal!!

[yanavlasov]

My brownie points are not nearly as valuable as Alyssa's. But here a last suggestion I have. I think it will make these tests more informative by also checking the expected header map after sanitization. You can add something like this:

  TestHeaderMapImpl sanitized_headers = {
      {":method", "GET"},
      {":path", "/"},
      {":scheme", "http"},
      {":authority", "no-headers.com"},
      {"x-request-foo", "downstram"},
      {"connection", "te,close"},
      {"te", "trailers"},
  };
  EXPECT_EQ(sanitized_headers, request_headers);

Note that multivalue headers are compared as single value, so no space between "te,close".
I really appreciate your patience here.

[abaptiste]

Likewise. I will update. Thanks for the suggestion.

[abaptiste]

/retest

[repokitteh-read-only]

🤷‍♀️ nothing to rebuild.

🐱

Caused by: a #8862 (comment) was created by @abaptiste.

see: more, trace.

[alyssawilk]

Fantastic work, thanks especially for the extra test work at the end :-)