fix: host header should not be allowed to modify by zhaohuabing · Pull Request #5533 · envoyproxy/gateway

zhaohuabing · 2025-03-18T06:17:49Z

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

codecov · 2025-03-18T06:30:57Z

Codecov Report

Attention: Patch coverage is 81.95489% with 24 lines in your changes missing coverage. Please review.

Project coverage is 65.21%. Comparing base (fcdab90) to head (653e9a5).
Report is 21 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/filters.go	81.95%	24 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5533      +/-   ##
==========================================
+ Coverage   65.20%   65.21%   +0.01%     
==========================================
  Files         213      213              
  Lines       34033    33954      -79     
==========================================
- Hits        22191    22143      -48     
+ Misses      10516    10485      -31     
  Partials     1326     1326

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

guydc

LGTM

internal/gatewayapi/filters.go

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

arkodg

LGTM thanks !

* host header is not allowed to be modified Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 54efa34) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* host header is not allowed to be modified Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 54efa34) Signed-off-by: Guy Daich <guy.daich@sap.com>

* load BackendTLSPolicy in standalone mode (#5431) Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 4d914ae) Signed-off-by: Guy Daich <guy.daich@sap.com> * Wasm: cache Wasm OCI image permission check results (#5358) * add TTL for wasm permission check Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * change Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * refresh the cache Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * purge the cache Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * refactor Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * on retry on retriable errors Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * add release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 672de8a) Signed-off-by: Guy Daich <guy.daich@sap.com> * Load EnvoyExtensionPolicy in standalone mode (#5460) * load EnvoyExtensionPolicy in standalone mode Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * more Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * release note Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * review: use a valid target name instead of myapp Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * gen Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> --------- Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> (cherry picked from commit 4be098d) Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: check for mirror backendRef in httproute index (#5497) * check for mirror backendRef Signed-off-by: mark winter <mark.winter@thetradedesk.com> (cherry picked from commit 72b72c4) Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: dont return an err when gatewayclass is not accepted (#5524) * bug: dont return an err when gatewayclass is not accepted this is a user generated error, we shouldnt log it as a system error, and return with an error Signed-off-by: Arko Dasgupta <arko@tetrate.io> * release notes Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 51e87ca) Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: host header should not be allowed to modify (#5533) * host header is not allowed to be modified Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 54efa34) Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: retrigger reconciliation when backendRef of type ServiceImport is updated (#5461) * fix: retrigger reconilation when backendRef of type ServiceImport is updated Signed-off-by: Teju Nareddy <tejunareddy@gmail.com> (cherry picked from commit e2f8978) Signed-off-by: Guy Daich <guy.daich@sap.com> * pin envoy and ratelimit Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: otel sink json access logging without text field (#5498) * fix otel sink json access logging without text field Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> * use json format as default when format or type is not set Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> * set formatters only if the slice of formatters is not empty Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> --------- Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit cb3ffd2) Signed-off-by: Guy Daich <guy.daich@sap.com> * [release/v1.3] v1.3.2 release notes (#5584) v1.3.2 release notes Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> Signed-off-by: mark winter <mark.winter@thetradedesk.com> Signed-off-by: Teju Nareddy <tejunareddy@gmail.com> Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Takeshi Yoneda <t.y.mathetake@gmail.com> Co-authored-by: Mark Winter <wintermarkedward@gmail.com> Co-authored-by: Teju Nareddy <tejunareddy@gmail.com> Co-authored-by: Tomi Juntunen <tomi.juntunen@iki.fi>

* bump envoy to v1.32.4 Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: host header should not be allowed to modify (#5533) * host header is not allowed to be modified Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 54efa34) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * add release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * bump ratelimit to 0141a24 Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * Wasm: cache Wasm OCI image permission check results (#5358) * add TTL for wasm permission check Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * change Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * refresh the cache Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * purge the cache Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * refactor Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * on retry on retriable errors Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * add release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 672de8a) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * load BackendTLSPolicy in standalone mode (#5431) Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 4d914ae) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: check for mirror backendRef in httproute index (#5497) * check for mirror backendRef Signed-off-by: mark winter <mark.winter@thetradedesk.com> (cherry picked from commit 72b72c4) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: dont return an err when gatewayclass is not accepted (#5524) * bug: dont return an err when gatewayclass is not accepted this is a user generated error, we shouldnt log it as a system error, and return with an error Signed-off-by: Arko Dasgupta <arko@tetrate.io> * release notes Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 51e87ca) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * update release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * update reatelimit Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix gen Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * Load EnvoyExtensionPolicy in standalone mode (#5460) * load EnvoyExtensionPolicy in standalone mode Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * more Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * release note Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * review: use a valid target name instead of myapp Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> * gen Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> --------- Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> (cherry picked from commit 4be098d) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * add security update to release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: otel sink json access logging without text field (#5498) * fix otel sink json access logging without text field Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> * use json format as default when format or type is not set Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> * set formatters only if the slice of formatters is not empty Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> --------- Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit cb3ffd2) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * update release date Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * update release date Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: mark winter <mark.winter@thetradedesk.com> Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com> Signed-off-by: Tomi Juntunen <tomi.juntunen@iki.fi> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Mark Winter <wintermarkedward@gmail.com> Co-authored-by: Takeshi Yoneda <t.y.mathetake@gmail.com> Co-authored-by: Tomi Juntunen <tomi.juntunen@iki.fi>

zhaohuabing requested a review from a team as a code owner March 18, 2025 06:17

host header is not allowed to be modified

8aac49c

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

zhaohuabing force-pushed the fix-5182 branch from 01c0b52 to 8aac49c Compare March 18, 2025 06:22

zhaohuabing changed the title ~~fix: host header is not allowed to be modified~~ fix: host header shout not be allowed to modify Mar 18, 2025

zhaohuabing changed the title ~~fix: host header shout not be allowed to modify~~ fix: host header should not be allowed to modify Mar 18, 2025

zhaohuabing marked this pull request as draft March 18, 2025 06:24

zhaohuabing marked this pull request as ready for review March 18, 2025 06:28

arkodg added cherrypick/release-v1.2.8 cherrypick/release-v1.3.2 labels Mar 18, 2025

guydc previously approved these changes Mar 20, 2025

View reviewed changes

arkodg reviewed Mar 20, 2025

View reviewed changes

internal/gatewayapi/filters.go Outdated Show resolved Hide resolved

address comment

653e9a5

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

zhaohuabing dismissed guydc’s stale review via 653e9a5 March 21, 2025 03:24

zhaohuabing requested review from arkodg and guydc March 21, 2025 03:24

arkodg approved these changes Mar 21, 2025

View reviewed changes

zirain approved these changes Mar 21, 2025

View reviewed changes

zhaohuabing merged commit 54efa34 into envoyproxy:main Mar 21, 2025
25 checks passed

zhaohuabing deleted the fix-5182 branch March 21, 2025 04:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: host header should not be allowed to modify#5533

fix: host header should not be allowed to modify#5533
zhaohuabing merged 2 commits intoenvoyproxy:mainfrom
zhaohuabing:fix-5182

zhaohuabing commented Mar 18, 2025

Uh oh!

codecov bot commented Mar 18, 2025 •

edited

Loading

Uh oh!

guydc left a comment

Uh oh!

Uh oh!

arkodg left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

zhaohuabing commented Mar 18, 2025

Uh oh!

codecov bot commented Mar 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

guydc left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

arkodg left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

codecov bot commented Mar 18, 2025 •

edited

Loading