Release 1.3 use after free

.bazelrc

@@ -13,6 +13,7 @@ startup --host_jvm_args=-Xmx2g
 build --workspace_status_command=bazel/get_workspace_status
 build --experimental_remap_main_repo
 build --experimental_local_memory_estimate
+build --experimental_strict_action_env=true
 build --host_force_python=PY2
 build --action_env=BAZEL_LINKLIBS=-l%:libstdc++.a
 build --action_env=BAZEL_LINKOPTS=-lm:-static-libgcc
@@ -27,6 +28,7 @@ build --action_env=PATH
 # Basic ASAN/UBSAN that works for gcc
 build:asan --action_env=BAZEL_LINKLIBS=
 build:asan --action_env=BAZEL_LINKOPTS=-lstdc++:-lm
+build:asan --action_env=ENVOY_ASAN=1
 build:asan --define ENVOY_CONFIG_ASAN=1
 build:asan --copt -fsanitize=address,undefined
 build:asan --linkopt -fsanitize=address,undefined
@@ -58,6 +60,7 @@ build:macos-asan --copt -DGRPC_BAZEL_BUILD
 build:macos-asan --dynamic_mode=off
 
 # Clang TSAN
+build:clang-tsan --action_env=ENVOY_TSAN=1
 build:clang-tsan --define ENVOY_CONFIG_TSAN=1
 build:clang-tsan --copt -fsanitize=thread
 build:clang-tsan --linkopt -fsanitize=thread
@@ -69,6 +72,7 @@ build:clang-tsan --copt -DEVENT__DISABLE_DEBUG_MODE
 
 # Clang MSAN - broken today since we need to rebuild lib[std]c++ and external deps with MSAN
 # support (see https://github.com/envoyproxy/envoy/issues/443).
+build:clang-msan --action_env=ENVOY_MSAN=1
 build:clang-msan --define ENVOY_CONFIG_MSAN=1
 build:clang-msan --copt -fsanitize=memory
 build:clang-msan --linkopt -fsanitize=memory
@@ -79,6 +83,7 @@ build:clang-msan --copt -fsanitize-memory-track-origins=2
 # TODO(cmluciano) fix and re-enable _LIBCPP_VERSION testing for TCMALLOC in Envoy::Stats::TestUtil::hasDeterministicMallocStats
 # and update stats_integration_test with appropriate m_per_cluster value
 build:libc++ --action_env=CXXFLAGS=-stdlib=libc++
+build:libc++ --action_env=LDFLAGS=-stdlib=libc++
 build:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++
 build:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a:-lm
 build:libc++ --host_linkopt=-fuse-ld=lld
@@ -104,6 +109,8 @@ build:rbe-toolchain-clang-libc++ --config=rbe-toolchain
 build:rbe-toolchain-clang-libc++ --crosstool_top=@rbe_ubuntu_clang_libcxx//cc:toolchain
 build:rbe-toolchain-clang-libc++ --extra_toolchains=@rbe_ubuntu_clang_libcxx//config:cc-toolchain
 build:rbe-toolchain-clang-libc++ --action_env=CC=clang --action_env=CXX=clang++ --action_env=PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/llvm-8/bin
+build:rbe-toolchain-clang-libc++ --action_env=CXXFLAGS=-stdlib=libc++
+build:rbe-toolchain-clang-libc++ --action_env=LDFLAGS=-stdlib=libc++
 
 build:rbe-toolchain-gcc --config=rbe-toolchain
 build:rbe-toolchain-gcc --crosstool_top=@rbe_ubuntu_gcc//cc:toolchain

.circleci/config.yml

@@ -4,7 +4,7 @@ executors:
   ubuntu-build:
     description: "A regular build executor based on ubuntu image"
     docker:
-      - image: piotrsikora/envoy:625451803d48ae5ac9944de8d0e999be408d7a6c
+      - image: piotrsikora/envoy:d799827e285e2f4f42f4ecf284ff4cc999f48e35
     resource_class: xlarge
     working_directory: /source
 
@@ -73,10 +73,12 @@ jobs:
 
    macos:
      macos:
-       xcode: "10.2.1"
+       xcode: "11.0.0"
      environment:
        BAZEL_BUILD_EXTRA_OPTIONS: "--define wasm=v8" # v8 only, WAVM segfaults in tests.
        BAZEL_TEST_TARGETS: "//test/extensions/access_loggers/wasm/... //test/extensions/filters/http/wasm/... //test/extensions/wasm/..."
+       CC: clang
+       CXX: clang++
      steps:
        - run: sudo sntp -sS time.apple.com
        - run: rm -rf /home/circleci/project/.git # CircleCI git caching is likely broken

CODEOWNERS

@@ -1,57 +1 @@
-# TODO(zuercher): determine how we want to deal with auto-assignment
-# By default, @envoyproxy/maintainers own everything.
-#*       @envoyproxy/maintainers
-
-# api
-/api/ @envoyproxy/api-shepherds
-# access loggers
-/*/extensions/access_loggers/common @auni53 @zuercher
-# csrf extension
-/*/extensions/filters/http/csrf @dschaller @mattklein123
-# original_src http filter extension
-/*/extensions/filters/http/original_src @snowp @klarose
-# original_src listener filter extension
-/*/extensions/filters/listener/original_src @snowp @klarose
-# original_src common extension
-extensions/filters/common/original_src @snowp @klarose
-# dubbo_proxy extension
-/*/extensions/filters/network/dubbo_proxy @zyfjeff @lizan
-# thrift_proxy extension
-/*/extensions/filters/network/thrift_proxy @zuercher @brian-pane
-# jwt_authn http filter extension
-/*/extensions/filters/http/jwt_authn @qiwzhang @lizan
-# grpc_http1_reverse_bridge http filter extension
-/*/extensions/filters/http/grpc_http1_reverse_bridge @snowp @zuercher
-# header_to_metadata extension
-/*/extensions/filters/http/header_to_metadata @rgs1 @zuercher
-# alts transport socket extension
-/*/extensions/transport_sockets/alts @htuch @yangminzhu
-# sni_cluster extension
-/*/extensions/filters/network/sni_cluster @rshriram @lizan
-# tracers.datadog extension
-/*/extensions/tracers/datadog @cgilmour @palazzem
-# mysql_proxy extension
-/*/extensions/filters/network/mysql_proxy @rshriram @venilnoronha @mattklein123
-# quic extension
-/*/extensions/quic_listeners/ @alyssawilk @danzh2010 @mattklein123 @mpwarres @wu-bin
-# zookeeper_proxy extension
-/*/extensions/filters/network/zookeeper_proxy @rgs1 @snowp
-# redis cluster extension
-/*/extensions/clusters/redis @msukalski @henryyyang @mattklein123
-# dynamic forward proxy
-/*/extensions/clusters/dynamic_forward_proxy @mattklein123 @alyssawilk
-/*/extensions/common/dynamic_forward_proxy @mattklein123 @alyssawilk
-/*/extensions/filters/http/dynamic_forward_proxy @mattklein123 @alyssawilk
-# omit_canary_hosts retry predicate
-/*/extensions/retry/host/omit_canary_hosts @sriduth @snowp
-# aws_iam grpc credentials
-/*/extensions/grpc_credentials/aws_iam @lavignes @mattklein123
-/*/extensions/filters/http/common/aws @lavignes @mattklein123
-# adaptive concurrency limit extension.
-/*/extensions/filters/http/adaptive_concurrency @tonya11en @mattklein123
-# http inspector
-/*/extensions/filters/listener/http_inspector @crazyxy @PiotrSikora @lizan
-# WebAssembly extensions
-/*/extensions/access_loggers/wasm @jplevyak @PiotrSikora
-/*/extensions/common/wasm @jplevyak @PiotrSikora
-/*/extensions/filters/http/wasm @jplevyak @PiotrSikora
+* @istio/release-managers-1-3

WASM.md

@@ -1,65 +1,14 @@
 WebAssembly Extension Support
 
-# Build Dependencies
+# C++ SDK
 
-## glib2.0
+A C++ SDK is available including a docker image build environment. See api/wasm/cpp/README.md.
 
-Note: this may be required on Debian/Ubuntu.
+# Rust SDK
 
-apt-get install libglib2.0-dev
+The Rust SDK is a WIP. See api/wasm/rust/README.md.
 
-## emscripten
-
-git clone https://github.com/emscripten-core/emsdk.git  
-cd emsdk  
-./emsdk install sdk-1.38.25-64bit  
-./emsdk activate sdk-1.38.25-64bit  
-
-. ./emsdk\_env.sh  
-
-It is possible later versions will work, e.g.
-
-./emsdk install latest  
-./emsdk activate latest  
-
-However 1.38.25 is known to work.
-
-## clang-7 or clang-8
-
-export CC=clang  
-export CXX=clang++  
-
-Note: ensure that you have clang in your path (e.g. /usr/lib/llvm-7/bin).
-
-## protobuf v3.6.1
-
-git clone https://github.com/protocolbuffers/protobuf  
-cd protobuf  
-git checkout v3.6.1  
-git submodule update --init --recursive  
-./autogen.sh  
-./configure  
-make  
-make check  
-sudo make install  
-
-# Dependencies for regenerating test modules
-
-## WAVM binaries if you want to rebuild the c++ WebAssembly tests
-
-git clone git@github.com:WAVM/WAVM.git  
-cd WAVM  
-cmake "."  
-make  
-sudo make install  
-
-Note: ensure /usr/local/bin is in your path
-
-## rust if you want to use it or rebuild the rust WebAssembly tests
-
-curl https://sh.rustup.rs -sSf | sh
-
-# Building
+# Building in WebAssembly support
 
 Building with WebAssembly support requires enabling one or more WebAssembly runtime via the "wasm" define:
 

api/bazel/api_build_system.bzl

@@ -23,13 +23,13 @@ def _LibrarySuffix(library_name, suffix):
 # TODO(htuch): Convert this to native py_proto_library once
 # https://github.com/bazelbuild/bazel/issues/3935 and/or
 # https://github.com/bazelbuild/bazel/issues/2626 are resolved.
-def api_py_proto_library(name, srcs = [], deps = [], has_services = 0):
+def api_py_proto_library(name, srcs = [], deps = [], external_py_proto_deps = [], has_services = 0):
     _py_proto_library(
         name = _Suffix(name, _PY_SUFFIX),
         srcs = srcs,
         default_runtime = "@com_google_protobuf//:protobuf_python",
         protoc = "@com_google_protobuf//:protoc",
-        deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + [
+        deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + external_py_proto_deps + [
             "@com_envoyproxy_protoc_gen_validate//validate:validate_py",
             "@com_google_googleapis//google/rpc:status_py_proto",
             "@com_google_googleapis//google/api:annotations_py_proto",
@@ -116,6 +116,7 @@ def api_proto_library(
         deps = [],
         external_proto_deps = [],
         external_cc_proto_deps = [],
+        external_py_proto_deps = [],
         has_services = 0,
         linkstatic = None,
         require_py = 1):
@@ -152,7 +153,7 @@ def api_proto_library(
     )
     py_export_suffixes = []
     if (require_py == 1):
-        api_py_proto_library(name, srcs, deps, has_services)
+        api_py_proto_library(name, srcs, deps, external_py_proto_deps, has_services)
         py_export_suffixes = ["_py", "_py_genproto"]
 
     # Allow unlimited visibility for consumers

api/envoy/admin/v2alpha/server_info.proto

@@ -53,8 +53,11 @@ message CommandLineOptions {
   // See :option:`--config-yaml` for details.
   string config_yaml = 4;
 
-  // See :option:`--allow-unknown-fields` for details.
-  bool allow_unknown_fields = 5;
+  // See :option:`--allow-unknown-static-fields` for details.
+  bool allow_unknown_static_fields = 5;
+
+  // See :option:`--reject-unknown-dynamic-fields` for details.
+  bool reject_unknown_dynamic_fields = 26;
 
   // See :option:`--admin-address-path` for details.
   string admin_address_path = 6;

api/envoy/api/v2/cds.proto

@@ -236,8 +236,8 @@ message Cluster {
 
   reserved 12;
 
-  // Additional options when handling HTTP requests. These options will be applicable to both
-  // HTTP1 and HTTP2 requests.
+  // Additional options when handling HTTP requests upstream. These options will be applicable to
+  // both HTTP1 and HTTP2 requests.
   core.HttpProtocolOptions common_http_protocol_options = 29;
 
   // Additional options when handling HTTP1 requests.

api/envoy/api/v2/core/config_source.proto

@@ -65,6 +65,9 @@ message ApiConfigSource {
   // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be
   // rate limited.
   RateLimitSettings rate_limit_settings = 6;
+
+  // Skip the node identifier in subsequent discovery requests for streaming gRPC config types.
+  bool set_node_on_first_message_only = 7;
 }
 
 // Aggregated Discovery Service (ADS) options. This is currently empty, but when

api/envoy/api/v2/core/protocol.proto

@@ -23,11 +23,19 @@ message TcpProtocolOptions {
 }
 
 message HttpProtocolOptions {
-  // The idle timeout for upstream connection pool connections. The idle timeout is defined as the
+  // The idle timeout for connections. The idle timeout is defined as the
   // period in which there are no active requests. If not set, there is no idle timeout. When the
-  // idle timeout is reached the connection will be closed. Note that request based timeouts mean
-  // that HTTP/2 PINGs will not keep the connection alive.
+  // idle timeout is reached the connection will be closed. If the connection is an HTTP/2
+  // downstream connection a drain sequence will occur prior to closing the connection, see
+  // :ref:`drain_timeout
+  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.drain_timeout>`.
+  // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive.
   google.protobuf.Duration idle_timeout = 1 [(gogoproto.stdduration) = true];
+
+  // The maximum number of headers. If unconfigured, the default
+  // maximum number of request headers allowed is 100. Requests that exceed this limit will receive
+  // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2.
+  google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}];
 }
 
 message Http1ProtocolOptions {

api/envoy/api/v2/route/route.proto

@@ -562,7 +562,8 @@ message RouteAction {
 
   // Specifies the upstream timeout for the route. If not specified, the default is 15s. This
   // spans between the point at which the entire downstream request (i.e. end-of-stream) has been
-  // processed and when the upstream response has been completely processed.
+  // processed and when the upstream response has been completely processed. A value of 0 will
+  // disable the route's timeout.
   //
   // .. note::
   //

api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto

@@ -25,7 +25,7 @@ import "gogoproto/gogo.proto";
 // [#protodoc-title: HTTP connection manager]
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 
-// [#comment:next free field: 34]
+// [#comment:next free field: 36]
 message HttpConnectionManager {
   enum CodecType {
     option (gogoproto.goproto_enum_prefix) = false;
@@ -134,6 +134,10 @@ message HttpConnectionManager {
   // <envoy_api_msg_config.trace.v2.Tracing>`.
   Tracing tracing = 7;
 
+  // Additional settings for HTTP requests handled by the connection manager. These will be
+  // applicable to both HTTP1 and HTTP2 requests.
+  envoy.api.v2.core.HttpProtocolOptions common_http_protocol_options = 35;
+
   // Additional HTTP/1 settings that are passed to the HTTP/1 codec.
   envoy.api.v2.core.Http1ProtocolOptions http_protocol_options = 8;
 
@@ -156,10 +160,11 @@ message HttpConnectionManager {
   // idle timeout is defined as the period in which there are no active
   // requests. If not set, there is no idle timeout. When the idle timeout is
   // reached the connection will be closed. If the connection is an HTTP/2
-  // connection a drain sequence will occur prior to closing the connection. See
-  // :ref:`drain_timeout
-  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.drain_timeout>`.
-  google.protobuf.Duration idle_timeout = 11 [(gogoproto.stdduration) = true];
+  // connection a drain sequence will occur prior to closing the connection.
+  // This field is deprecated. Use :ref:`idle_timeout
+  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.common_http_protocol_options>`
+  // instead.
+  google.protobuf.Duration idle_timeout = 11 [(gogoproto.stdduration) = true, deprecated = true];
 
   // The stream idle timeout for connections managed by the connection manager.
   // If not specified, this defaults to 5 minutes. The default value was selected

api/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto

@@ -90,6 +90,29 @@ message RedisProxy {
     // this limit, then redirection will fail and the original redirection error will be passed
     // downstream unchanged. This limit defaults to 100.
     google.protobuf.UInt32Value max_upstream_unknown_connections = 6;
+
+    // ReadPolicy controls how Envoy routes read commands to Redis nodes. This is currently
+    // supported for Redis Cluster. All ReadPolicy settings except MASTER may return stale data
+    // because replication is asynchronous and requires some delay. You need to ensure that your
+    // application can tolerate stale data.
+    enum ReadPolicy {
+      // Default mode. Read from the current master node.
+      MASTER = 0;
+      // Read from the master, but if it is unavailable, read from replica nodes.
+      PREFER_MASTER = 1;
+      // Read from replica nodes. If multiple replica nodes are present within a shard, a random
+      // node is selected. Healthy nodes have precedent over unhealthy nodes.
+      REPLICA = 2;
+      // Read from the replica nodes (similar to REPLICA), but if all replicas are unavailable (not
+      // present or unhealthy), read from the master.
+      PREFER_REPLICA = 3;
+      // Read from any node of the cluster. A random node is selected among the master and replicas,
+      // healthy nodes have precedent over unhealthy nodes.
+      ANY = 4;
+    }
+
+    // Read policy. The default is to read from the master.
+    ReadPolicy read_policy = 7 [(validate.rules).enum.defined_only = true];
   }
 
   // Network settings for the connection pool to the upstream clusters.
@@ -210,4 +233,4 @@ message RedisProtocolOptions {
   // Upstream server password as defined by the `requirepass directive
   // <https://redis.io/topics/config>`_ in the server's configuration file.
   envoy.api.v2.core.DataSource auth_password = 1;
-}
+}

api/envoy/config/rbac/v2/BUILD

@@ -5,6 +5,15 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_prot
 api_proto_library_internal(
     name = "rbac",
     srcs = ["rbac.proto"],
+    external_cc_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_cc_proto",
+    ],
+    external_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
+    ],
+    external_py_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_py_proto",
+    ],
     visibility = ["//visibility:public"],
     deps = [
         "//envoy/api/v2/core:address",
@@ -22,5 +31,6 @@ api_go_proto_library(
         "//envoy/api/v2/route:route_go_proto",
         "//envoy/type/matcher:metadata_go_proto",
         "//envoy/type/matcher:string_go_proto",
+        "@com_google_googleapis//google/api/expr/v1alpha1:cel_go_proto",
     ],
 )