Update for oss-fuzz Issue 22106

.bazelrc

@@ -105,9 +105,12 @@ build:clang-msan --config=sanitizer
 build:clang-msan --define ENVOY_CONFIG_MSAN=1
 build:clang-msan --copt -fsanitize=memory
 build:clang-msan --linkopt -fsanitize=memory
+build:clang-msan --linkopt -fuse-ld=lld
 build:clang-msan --copt -fsanitize-memory-track-origins=2
+build:clang-msan --test_env=MSAN_SYMBOLIZER_PATH
 # MSAN needs -O1 to get reasonable performance.
 build:clang-msan --copt -O1
+build:clang-msan --copt -fno-optimize-sibling-calls
 
 # Clang with libc++
 build:libc++ --config=clang
@@ -237,6 +240,10 @@ build:remote-msan --config=remote
 build:remote-msan --config=rbe-toolchain-clang-libc++
 build:remote-msan --config=rbe-toolchain-msan
 
+build:remote-tsan --config=remote
+build:remote-tsan --config=rbe-toolchain-clang-libc++
+build:remote-tsan --config=rbe-toolchain-tsan
+
 build:remote-msvc-cl --config=remote-windows
 build:remote-msvc-cl --config=msvc-cl
 build:remote-msvc-cl --config=rbe-toolchain-msvc-cl
@@ -265,6 +272,10 @@ build:docker-clang-libc++ --config=rbe-toolchain-clang-libc++
 build:docker-gcc --config=docker-sandbox
 build:docker-gcc --config=rbe-toolchain-gcc
 
+build:docker-asan --config=docker-sandbox
+build:docker-asan --config=rbe-toolchain-clang-libc++
+build:docker-asan --config=rbe-toolchain-asan
+
 build:docker-msan --config=docker-sandbox
 build:docker-msan --config=rbe-toolchain-clang-libc++
 build:docker-msan --config=rbe-toolchain-msan

.clang-tidy

@@ -59,6 +59,10 @@ CheckOptions:
   - key:             readability-identifier-naming.EnumConstantCase
     value:           'CamelCase'
 
+  # Ignore GoogleTest function macros.
+  - key:             readability-identifier-naming.FunctionIgnoredRegexp
+    value:           '(TEST|TEST_F|TEST_P|INSTANTIATE_TEST_SUITE_P|MOCK_METHOD|TYPED_TEST)'
+
   - key:             readability-identifier-naming.ParameterCase
     value:           'lower_case'
 

CODEOWNERS

@@ -183,3 +183,6 @@ extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
 /*/extensions/filters/common/ext_authz @esmet @gsagula @dio
 /*/extensions/filters/http/ext_authz @esmet @gsagula @dio
 /*/extensions/filters/network/ext_authz @esmet @gsagula @dio
+# Original IP detection
+/*/extensions/http/original_ip_detection/custom_header @rgs1 @alyssawilk @antoniovicente
+/*/extensions/http/original_ip_detection/xff @rgs1 @alyssawilk @antoniovicente

GOVERNANCE.md

@@ -37,8 +37,8 @@
 * Triage GitHub issues and perform pull request reviews for other maintainers and the community.
   The areas of specialization listed in [OWNERS.md](OWNERS.md) can be used to help with routing
   an issue/question to the right person.
-* Triage build issues - file issues for known flaky builds or bugs, and either fix or find someone
-  to fix any main build breakages.
+* Triage build and CI issues. Monitor #envoy-ci and #test-flaky and file issues for failing builds,
+  flaky tests or new bugs, and either fix or find someone to fix any main build breakages.
 * During GitHub issue triage, apply all applicable [labels](https://github.com/envoyproxy/envoy/labels)
   to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
   is somewhat subjective so just use your best judgment. A few of the most important labels that are

PULL_REQUEST_TEMPLATE.md

@@ -8,9 +8,9 @@ Thank you in advance for helping to keep Envoy secure.
 
 !!!ATTENTION!!!
 
--->
 For an explanation of how to fill out the fields, please see the relevant section
 in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
+-->
 
 Commit Message:
 Additional Description:

api/BUILD

@@ -245,6 +245,8 @@ proto_library(
         "//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
         "//envoy/extensions/health_checkers/redis/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
+        "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
+        "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
         "//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",

api/STYLE.md

@@ -34,6 +34,11 @@ In addition, the following conventions should be followed:
   implementation. These indicate that the entity is not implemented in Envoy and the entity
   should be hidden from the Envoy documentation.
 
+* Use a `[#alpha:]` annotation in comments for messages that are considered alpha
+  and are not subject to the threat model. This is similar to the work-in-progress/alpha tagging
+  of extensions described below, but allows tagging messages that are used as part of the core API
+  as alpha without having to break it into its own file.
+
 * Always use plural field names for `repeated` fields, such as `filters`.
 
 * Due to the fact that we consider JSON/YAML to be first class inputs, we cannot easily change a

api/envoy/admin/v3/config_dump.proto

@@ -57,7 +57,9 @@ message ConfigDump {
   // * *clusters*: :ref:`ClustersConfigDump <envoy_v3_api_msg_admin.v3.ClustersConfigDump>`
   // * *endpoints*:  :ref:`EndpointsConfigDump <envoy_v3_api_msg_admin.v3.EndpointsConfigDump>`
   // * *listeners*: :ref:`ListenersConfigDump <envoy_v3_api_msg_admin.v3.ListenersConfigDump>`
+  // * *scoped_routes*: :ref:`ScopedRoutesConfigDump <envoy_v3_api_msg_admin.v3.ScopedRoutesConfigDump>`
   // * *routes*:  :ref:`RoutesConfigDump <envoy_v3_api_msg_admin.v3.RoutesConfigDump>`
+  // * *secrets*:  :ref:`SecretsConfigDump <envoy_v3_api_msg_admin.v3.SecretsConfigDump>`
   //
   // EDS Configuration will only be dumped by using parameter `?include_eds`
   //

api/envoy/config/bootstrap/v3/bootstrap.proto

@@ -35,7 +35,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Bootstrap]
 // This proto is supplied via the :option:`-c` CLI flag and acts as the root
-// of the Envoy v2 configuration. See the :ref:`v2 configuration overview
+// of the Envoy v3 configuration. See the :ref:`v3 configuration overview
 // <config_overview_bootstrap>` for more detail.
 
 // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.

api/envoy/config/cluster/v3/cluster.proto

@@ -709,6 +709,7 @@ message Cluster {
   EdsClusterConfig eds_cluster_config = 3;
 
   // The timeout for new network connections to hosts in the cluster.
+  // If not set, a default value of 5s will be used.
   google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}];
 
   // Soft limit on size of the cluster’s connections read and write buffers. If

api/envoy/config/common/matcher/v3/matcher.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // As an on_no_match might result in another matching tree being evaluated, this process
 // might repeat several times until the final OnMatch (or no match) is decided.
 //
-// This API is a work in progress.
+// [#alpha:]
 message Matcher {
   // What to do if a match is successful.
   message OnMatch {

api/envoy/config/core/v3/base.proto

@@ -236,7 +236,19 @@ message Metadata {
 
   // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
   // namespace is reserved for Envoy's built-in filters.
+  // If both *filter_metadata* and
+  // :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
+  // fields are present in the metadata with same keys,
+  // only *typed_filter_metadata* field will be parsed.
   map<string, google.protobuf.Struct> filter_metadata = 1;
+
+  // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
+  // namespace is reserved for Envoy's built-in filters.
+  // The value is encoded as google.protobuf.Any.
+  // If both :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
+  // and *typed_filter_metadata* fields are present in the metadata with same keys,
+  // only *typed_filter_metadata* field will be parsed.
+  map<string, google.protobuf.Any> typed_filter_metadata = 2;
 }
 
 // Runtime derived uint32 with a default when not specified.

api/envoy/config/core/v3/protocol.proto

@@ -71,6 +71,28 @@ message UpstreamHttpProtocolOptions {
   bool auto_san_validation = 2;
 }
 
+// Configures the alternate protocols cache which tracks alternate protocols that can be used to
+// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for
+// HTTP Alternate Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04
+// for the "HTTPS" DNS resource record.
+message AlternateProtocolsCacheOptions {
+  // The name of the cache. Multiple named caches allow independent alternate protocols cache
+  // configurations to operate within a single Envoy process using different configurations. All
+  // alternate protocols cache options with the same name *must* be equal in all fields when
+  // referenced from different configuration components. Configuration will fail to load if this is
+  // not the case.
+  string name = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The maximum number of entries that the cache will hold. If not specified defaults to 1024.
+  //
+  // .. note:
+  //
+  //   The implementation is approximate and enforced independently on each worker thread, thus
+  //   it is possible for the maximum entries in the cache to go slightly above the configured
+  //   value depending on timing. This is similar to how other circuit breakers work.
+  google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}];
+}
+
 // [#next-free-field: 6]
 message HttpProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =

api/envoy/extensions/common/matching/v3/extension_matcher.proto

@@ -18,6 +18,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Wrapper around an existing extension that provides an associated matcher. This allows
 // decorating an existing extension with a matcher, which can be used to match against
 // relevant protocol data.
+//
+// [#alpha:]
 message ExtensionWithMatcher {
   // The associated matcher.
   config.common.matcher.v3.Matcher matcher = 1 [(validate.rules).message = {required: true}];

api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

@@ -43,4 +43,9 @@ message AwsRequestSigning {
   // value set here would be used for signing whereas the value set in the HCM would be used
   // for host header forwarding which is not the desired outcome.
   string host_rewrite = 3;
+
+  // Instead of buffering the request to calculate the payload hash, use the literal string ``UNSIGNED-PAYLOAD``
+  // to calculate the payload hash. Not all services support this option. See the `S3
+  // <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
+  bool use_unsigned_payload = 4;
 }

api/envoy/extensions/filters/http/composite/v3/composite.proto

@@ -26,6 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // :ref:`ExecuteFilterAction <envoy_v3_api_msg_extensions.filters.http.composite.v3.ExecuteFilterAction>`)
 // which filter configuration to create and delegate to.
 //
+// [#alpha:]
 message Composite {
 }
 

api/envoy/extensions/filters/network/http_connection_manager/v3/BUILD

@@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/annotations:pkg",
         "//envoy/config/accesslog/v3:pkg",
         "//envoy/config/core/v3:pkg",
         "//envoy/config/filter/network/http_connection_manager/v2:pkg",