sync from master.

.devcontainer/devcontainer.json

@@ -9,6 +9,7 @@
     "--security-opt=seccomp=unconfined",
     "--volume=${env:HOME}:${env:HOME}",
     "--volume=envoy-build:/build",
+    "--network=host",
     // Uncomment next line if you have devcontainer.env
     // "--env-file=.devcontainer/devcontainer.env"
   ],

CODEOWNERS

@@ -79,7 +79,7 @@ extensions/filters/common/original_src @snowp @klarose
 # omit_canary_hosts retry predicate
 /*/extensions/retry/host/omit_canary_hosts @sriduth @snowp
 # HTTP caching extension
-/*/extensions/filters/http/cache @toddmgreer @jmarantz
+/*/extensions/filters/http/cache @toddmgreer @jmarantz @penguingao @mpwarres @capoferro
 # aws_iam grpc credentials
 /*/extensions/grpc_credentials/aws_iam @lavignes @mattklein123 @tonya11en
 /*/extensions/common/aws @lavignes @mattklein123 @tonya11en

SECURITY.md

@@ -467,3 +467,4 @@ and security team to ensure they still qualify for inclusion on the list.
 | envoy-security@pinterest.com                          | Pinterest     | Yes      | 12/19       |
 | envoy-security@dropbox.com                            | Dropbox       | Yes      | 01/20       |
 | envoy-security-predisclosure@stripe.com               | Stripe        | Yes      | 01/20       |
+| envoy-security@squareup.com                           | Square        | Yes      | 05/21       |

api/API_VERSIONING.md

@@ -21,12 +21,12 @@ https://github.com/envoyproxy/envoy/issues/8416.
 
 In everyday discussion and GitHub labels, we refer to the `v2`, `v3`, `vN`, `...` APIs. This has a
 specific technical meaning. Any given message in the Envoy API, e.g. the `Bootstrap` at
-`envoy.config.bootstrap.v3.Boostrap`, will transitively reference a number of packages in the Envoy
+`envoy.config.bootstrap.v3.Bootstrap`, will transitively reference a number of packages in the Envoy
 API. These may be at `vN`, `v(N-1)`, etc. The Envoy API is technically a DAG of versioned package
 namespaces. When we talk about the `vN xDS API`, we really refer to the `N` of the root
 configuration resources (e.g. bootstrap, xDS resources such as `Cluster`). The
-v3 API bootstrap configuration is `envoy.config.bootstrap.v3.Boostrap`, even
-though it might might transitively reference `envoy.service.trace.v2`.
+v3 API bootstrap configuration is `envoy.config.bootstrap.v3.Bootstrap`, even
+though it might transitively reference `envoy.service.trace.v2`.
 
 # Backwards compatibility
 

api/STYLE.md

@@ -34,6 +34,11 @@ In addition, the following conventions should be followed:
   implementation. These indicate that the entity is not implemented in Envoy and the entity
   should be hidden from the Envoy documentation.
 
+* Use a `[#alpha:]` annotation in comments for messages that are considered alpha
+  and are not subject to the threat model. This is similar to the work-in-progress/alpha tagging
+  of extensions described below, but allows tagging messages that are used as part of the core API
+  as alpha without having to break it into its own file.
+
 * Always use plural field names for `repeated` fields, such as `filters`.
 
 * Due to the fact that we consider JSON/YAML to be first class inputs, we cannot easily change a
@@ -225,7 +230,7 @@ xDS APIs:
   breaking changes where there is no substantial gain in functionality,
   performance, security or implementation simplification. We will tolerate
   technical debt in the API itself, e.g. in the form of vestigial deprecated
-  fields or reduced ergnomics (such as not using `oneof` when we would prefer
+  fields or reduced ergonomics (such as not using `oneof` when we would prefer
   to), in order to meet this principle.
 
 * Namespaces for extensions, metadata, etc. use a reverse DNS naming scheme,

api/envoy/config/common/matcher/v3/matcher.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // As an on_no_match might result in another matching tree being evaluated, this process
 // might repeat several times until the final OnMatch (or no match) is decided.
 //
-// This API is a work in progress.
+// [#alpha:]
 message Matcher {
   // What to do if a match is successful.
   message OnMatch {

api/envoy/extensions/common/matching/v3/extension_matcher.proto

@@ -18,6 +18,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Wrapper around an existing extension that provides an associated matcher. This allows
 // decorating an existing extension with a matcher, which can be used to match against
 // relevant protocol data.
+//
+// [#alpha:]
 message ExtensionWithMatcher {
   // The associated matcher.
   config.common.matcher.v3.Matcher matcher = 1 [(validate.rules).message = {required: true}];

api/envoy/extensions/filters/http/composite/v3/composite.proto

@@ -26,6 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // :ref:`ExecuteFilterAction <envoy_v3_api_msg_extensions.filters.http.composite.v3.ExecuteFilterAction>`)
 // which filter configuration to create and delegate to.
 //
+// [#alpha:]
 message Composite {
 }
 

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -51,10 +51,12 @@ message TlsParameters {
 
   // If specified, the TLS listener will only support the specified `cipher list
   // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
-  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
-  // specified, the default list will be used.
+  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
   //
-  // In non-FIPS builds, the default cipher list is:
+  // If not specified, a default list will be used. Defaults are different for server (downstream) and
+  // client (upstream) TLS configurations.
+  //
+  // In non-FIPS builds, the default server cipher list is:
   //
   // .. code-block:: none
   //
@@ -71,7 +73,7 @@ message TlsParameters {
   //   AES256-GCM-SHA384
   //   AES256-SHA
   //
-  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
+  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
   //
   // .. code-block:: none
   //
@@ -87,6 +89,24 @@ message TlsParameters {
   //   ECDHE-RSA-AES256-SHA
   //   AES256-GCM-SHA384
   //   AES256-SHA
+  //
+  // In non-FIPS builds, the default client cipher list is:
+  //
+  // .. code-block:: none
+  //
+  //   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+  //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+  //   ECDHE-ECDSA-AES256-GCM-SHA384
+  //   ECDHE-RSA-AES256-GCM-SHA384
+  //
+  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
+  //
+  // .. code-block:: none
+  //
+  //   ECDHE-ECDSA-AES128-GCM-SHA256
+  //   ECDHE-RSA-AES128-GCM-SHA256
+  //   ECDHE-ECDSA-AES256-GCM-SHA384
+  //   ECDHE-RSA-AES256-GCM-SHA384
   repeated string cipher_suites = 3;
 
   // If specified, the TLS connection will only support the specified ECDH

bazel/external/wee8.genrule_cmd

@@ -33,7 +33,7 @@ if [[ ( $${SYSTEM} == "Darwin" && $${CXX-} == "" ) || $${CXX-} == *clang* ]]; th
   export IS_CLANG=true
   export CC=$${CC:-clang}
   export CXX=$${CXX:-clang++}
-  export CXXFLAGS="$${CXXFLAGS} -Wno-implicit-int-float-conversion -Wno-builtin-assume-aligned-alignment -Wno-final-dtor-non-final-class"
+  export CXXFLAGS="$${CXXFLAGS} -Wno-implicit-int-float-conversion -Wno-builtin-assume-aligned-alignment -Wno-final-dtor-non-final-class -Wno-invalid-constexpr"
 else
   export IS_CLANG=false
   export CC=$${CC:-gcc}

bazel/external/wee8.patch

@@ -1,9 +1,9 @@
 # 1. Fix linking with unbundled toolchain on macOS.
 # 2. Increase VSZ limit to 64 TiB (allows us to start up to 6,553 VMs).
-# 3. Fix building and linking with MSAN.
+# 3. Fix linking with MSAN.
 --- wee8/build/toolchain/gcc_toolchain.gni
 +++ wee8/build/toolchain/gcc_toolchain.gni
-@@ -348,6 +348,8 @@ template("gcc_toolchain") {
+@@ -376,6 +376,8 @@ template("gcc_toolchain") {
          # AIX does not support either -D (deterministic output) or response
          # files.
          command = "$ar -X64 {{arflags}} -r -c -s {{output}} {{inputs}}"
@@ -12,7 +12,7 @@
        } else {
          rspfile = "{{output}}.rsp"
          rspfile_content = "{{inputs}}"
-@@ -543,7 +545,7 @@ template("gcc_toolchain") {
+@@ -565,7 +567,7 @@ template("gcc_toolchain") {
 
        start_group_flag = ""
        end_group_flag = ""
@@ -23,9 +23,9 @@
          end_group_flag = "-Wl,--end-group "
 --- wee8/src/objects/backing-store.cc
 +++ wee8/src/objects/backing-store.cc
-@@ -34,7 +34,7 @@ constexpr bool kUseGuardRegions = false;
- // address space limits needs to be smaller.
- constexpr size_t kAddressSpaceLimit = 0x8000000000L;  // 512 GiB
+@@ -53,7 +53,7 @@ constexpr size_t kAddressSpaceLimit = 0x8000000000L;  // 512 GiB
+ // RISC-V64 has a user space of 256GB on the Sv39 scheme.
+ constexpr size_t kAddressSpaceLimit = 0x4000000000L;  // 256 GiB
  #elif V8_TARGET_ARCH_64_BIT
 -constexpr size_t kAddressSpaceLimit = 0x10100000000L;  // 1 TiB + 4 GiB
 +constexpr size_t kAddressSpaceLimit = 0x400100000000L; // 64 TiB + 4 GiB
@@ -34,7 +34,7 @@
  #endif
 --- wee8/build/config/sanitizers/sanitizers.gni
 +++ wee8/build/config/sanitizers/sanitizers.gni
-@@ -150,7 +150,7 @@ if (!is_a_target_toolchain) {
+@@ -153,7 +153,7 @@ if (!is_a_target_toolchain) {
  # standard system libraries. We have instrumented system libraries for msan,
  # which requires them to prevent false positives.
  # TODO(thakis): Maybe remove this variable.
@@ -43,7 +43,7 @@
 
  # Whether we are doing a fuzzer build. Normally this should be checked instead
  # of checking "use_libfuzzer || use_afl" because often developers forget to
-@@ -198,8 +198,7 @@ assert(!using_sanitizer || is_clang,
+@@ -202,8 +202,7 @@ assert(!using_sanitizer || is_clang,
  assert(!is_cfi || is_clang,
         "is_cfi requires setting is_clang = true in 'gn args'")
 
@@ -53,17 +53,3 @@
 
  if (use_libfuzzer && (is_linux || is_chromeos)) {
    if (is_asan) {
---- wee8/build/config/compiler/BUILD.gn
-+++ wee8/build/config/compiler/BUILD.gn
-@@ -736,11 +736,6 @@ config("compiler") {
-     cflags += [ "-fcomplete-member-pointers" ]
-   }
-
--  # TODO(crbug/1185183): Remove after next clang roll
--  if (is_clang && !is_nacl && is_linux && is_msan) {
--    cflags += [ "-flegacy-pass-manager" ]
--  }
--
-   # Pass the same C/C++ flags to the objective C/C++ compiler.
-   cflags_objc += cflags_c
-   cflags_objcc += cflags_cc

bazel/repository_locations.bzl

@@ -768,14 +768,14 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "V8",
         project_desc = "Google’s open source high-performance JavaScript and WebAssembly engine, written in C++",
         project_url = "https://v8.dev",
-        version = "9.1.269.18",
+        version = "9.2.230.2",
         # This archive was created using https://storage.googleapis.com/envoyproxy-wee8/wee8-archive.sh
         # and contains complete checkout of V8 with all dependencies necessary to build wee8.
-        sha256 = "3c4f0827f38b49c11a8a3a20cf897ce14dc8a7a7b999f8b0ee913211c6ab3d8b",
+        sha256 = "237b9816ee56ad9b86e12e082132d88c543be494385f9bf9797af2a415c05f56",
         urls = ["https://storage.googleapis.com/envoyproxy-wee8/wee8-{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.wasm.runtime.v8"],
-        release_date = "2021-04-27",
+        release_date = "2021-05-20",
         cpe = "cpe:2.3:a:google:v8:*",
     ),
     com_googlesource_quiche = dict(

configs/requirements.txt

@@ -1,38 +1,38 @@
-Jinja2==3.0.0 \
-    --hash=sha256:2f2de5285cf37f33d33ecd4a9080b75c87cd0c1994d5a9c6df17131ea1f049c6 \
-    --hash=sha256:ea8d7dd814ce9df6de6a761ec7f1cac98afe305b8cdc4aaae4e114b8d8ce24c5
-MarkupSafe==2.0.0 \
-    --hash=sha256:2efaeb1baff547063bad2b2893a8f5e9c459c4624e1a96644bbba08910ae34e0 \
-    --hash=sha256:441ce2a8c17683d97e06447fcbccbdb057cbf587c78eb75ae43ea7858042fe2c \
-    --hash=sha256:45535241baa0fc0ba2a43961a1ac7562ca3257f46c4c3e9c0de38b722be41bd1 \
-    --hash=sha256:90053234a6479738fd40d155268af631c7fca33365f964f2208867da1349294b \
-    --hash=sha256:3b54a9c68995ef4164567e2cd1a5e16db5dac30b2a50c39c82db8d4afaf14f63 \
-    --hash=sha256:f58b5ba13a5689ca8317b98439fccfbcc673acaaf8241c1869ceea40f5d585bf \
-    --hash=sha256:a00dce2d96587651ef4fa192c17e039e8cfab63087c67e7d263a5533c7dad715 \
-    --hash=sha256:007dc055dbce5b1104876acee177dbfd18757e19d562cd440182e1f492e96b95 \
-    --hash=sha256:a08cd07d3c3c17cd33d9e66ea9dee8f8fc1c48e2d11bd88fd2dc515a602c709b \
-    --hash=sha256:3c352ff634e289061711608f5e474ec38dbaa21e3e168820d53d5f4015e5b91b \
-    --hash=sha256:32200f562daaab472921a11cbb63780f1654552ae49518196fc361ed8e12e901 \
-    --hash=sha256:fef86115fdad7ae774720d7103aa776144cf9b66673b4afa9bcaa7af990ed07b \
-    --hash=sha256:e79212d09fc0e224d20b43ad44bb0a0a3416d1e04cf6b45fed265114a5d43d20 \
-    --hash=sha256:79b2ae94fa991be023832e6bcc00f41dbc8e5fe9d997a02db965831402551730 \
-    --hash=sha256:3261fae28155e5c8634dd7710635fe540a05b58f160cef7713c7700cb9980e66 \
-    --hash=sha256:e4570d16f88c7f3032ed909dc9e905a17da14a1c4cfd92608e3fda4cb1208bbd \
-    --hash=sha256:8f806bfd0f218477d7c46a11d3e52dc7f5fdfaa981b18202b7dc84bbc287463b \
-    --hash=sha256:e77e4b983e2441aff0c0d07ee711110c106b625f440292dfe02a2f60c8218bd6 \
-    --hash=sha256:031bf79a27d1c42f69c276d6221172417b47cb4b31cdc73d362a9bf5a1889b9f \
-    --hash=sha256:83cf0228b2f694dcdba1374d5312f2277269d798e65f40344964f642935feac1 \
-    --hash=sha256:4cc563836f13c57f1473bc02d1e01fc37bab70ad4ee6be297d58c1d66bc819bf \
-    --hash=sha256:d00a669e4a5bec3ee6dbeeeedd82a405ced19f8aeefb109a012ea88a45afff96 \
-    --hash=sha256:161d575fa49395860b75da5135162481768b11208490d5a2143ae6785123e77d \
-    --hash=sha256:58bc9fce3e1557d463ef5cee05391a05745fd95ed660f23c1742c711712c0abb \
-    --hash=sha256:3fb47f97f1d338b943126e90b79cad50d4fcfa0b80637b5a9f468941dbbd9ce5 \
-    --hash=sha256:dab0c685f21f4a6c95bfc2afd1e7eae0033b403dd3d8c1b6d13a652ada75b348 \
-    --hash=sha256:664832fb88b8162268928df233f4b12a144a0c78b01d38b81bdcf0fc96668ecb \
-    --hash=sha256:df561f65049ed3556e5b52541669310e88713fdae2934845ec3606f283337958 \
-    --hash=sha256:24bbc3507fb6dfff663af7900a631f2aca90d5a445f272db5fc84999fa5718bc \
-    --hash=sha256:87de598edfa2230ff274c4de7fcf24c73ffd96208c8e1912d5d0fee459767d75 \
-    --hash=sha256:a19d39b02a24d3082856a5b06490b714a9d4179321225bbf22809ff1e1887cc8 \
-    --hash=sha256:4aca81a687975b35e3e80bcf9aa93fe10cd57fac37bf18b2314c186095f57e05 \
-    --hash=sha256:70820a1c96311e02449591cbdf5cd1c6a34d5194d5b55094ab725364375c9eb2 \
-    --hash=sha256:4fae0677f712ee090721d8b17f412f1cbceefbf0dc180fe91bab3232f38b4527
+Jinja2==3.0.1 \
+    --hash=sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4 \
+    --hash=sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4
+MarkupSafe==2.0.1 \
+    --hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \
+    --hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \
+    --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \
+    --hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \
+    --hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872 \
+    --hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \
+    --hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \
+    --hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \
+    --hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \
+    --hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \
+    --hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \
+    --hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \
+    --hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \
+    --hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \
+    --hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \
+    --hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \
+    --hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \
+    --hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \
+    --hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \
+    --hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \
+    --hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \
+    --hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \
+    --hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \
+    --hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \
+    --hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \
+    --hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \
+    --hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \
+    --hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \
+    --hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \
+    --hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \
+    --hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \
+    --hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \
+    --hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \
+    --hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a