diff --git a/bazel/external/googleurl.patch b/bazel/external/googleurl.patch index cb5292f4ae800..e124821f9acee 100644 --- a/bazel/external/googleurl.patch +++ b/bazel/external/googleurl.patch @@ -56,107 +56,34 @@ index 0cd36dc..8c4cbd4 100644 # https://github.com/envoyproxy/envoy/issues/14743. diff --git a/url/BUILD b/url/BUILD -index f2ec8da..714f90e 100644 +index f2ec8da..4e2d55b 100644 --- a/url/BUILD +++ b/url/BUILD -@@ -7,7 +7,6 @@ load("@rules_cc//cc:defs.bzl", "cc_library") - cc_library( - name = "url", - srcs = [ -- "gurl.cc", - "third_party/mozilla/url_parse.cc", - "url_canon.cc", - "url_canon_etc.cc", -@@ -26,17 +25,14 @@ cc_library( - "url_canon_stdstring.cc", - "url_canon_stdurl.cc", - "url_constants.cc", -- "url_idna_icu.cc", - "url_parse_file.cc", - "url_parse_internal.h", - "url_util.cc", - "url_util_internal.h", - ], - hdrs = [ -- "gurl.h", - "third_party/mozilla/url_parse.h", - "url_canon.h", -- "url_canon_icu.h", - "url_canon_ip.h", - "url_canon_stdstring.h", - "url_constants.h", -@@ -44,11 +40,10 @@ cc_library( - "url_util.h", - ], - copts = build_config.default_copts, -- linkopts = build_config.url_linkopts, - visibility = ["//visibility:public"], - deps = [ - "//base", - "//base/strings", +@@ -52,3 +52,27 @@ cc_library( "//polyfills", -- ] + build_config.icuuc_deps, -+ ] + ] + build_config.icuuc_deps, ) -diff --git a/url/url_canon_host.cc b/url/url_canon_host.cc -index 28a7c38..dd18acf 100644 ---- a/url/url_canon_host.cc -+++ b/url/url_canon_host.cc -@@ -175,55 +175,7 @@ bool DoSimpleHost(const INCHAR* host, - - // Canonicalizes a host that requires IDN conversion. Returns true on success - bool DoIDNHost(const gurl_base::char16* src, int src_len, CanonOutput* output) { -- int original_output_len = output->length(); // So we can rewind below. -- -- // We need to escape URL before doing IDN conversion, since punicode strings -- // cannot be escaped after they are created. -- RawCanonOutputW url_escaped_host; -- bool has_non_ascii; -- DoSimpleHost(src, src_len, &url_escaped_host, &has_non_ascii); -- if (url_escaped_host.length() > kMaxHostBufferLength) { -- AppendInvalidNarrowString(src, 0, src_len, output); -- return false; -- } -- -- StackBufferW wide_output; -- if (!IDNToASCII(url_escaped_host.data(), -- url_escaped_host.length(), -- &wide_output)) { -- // Some error, give up. This will write some reasonable looking -- // representation of the string to the output. -- AppendInvalidNarrowString(src, 0, src_len, output); -- return false; -- } -- -- // Now we check the ASCII output like a normal host. It will also handle -- // unescaping. Although we unescaped everything before this function call, if -- // somebody does %00 as fullwidth, ICU will convert this to ASCII. -- bool success = DoSimpleHost(wide_output.data(), -- wide_output.length(), -- output, &has_non_ascii); -- if (has_non_ascii) { -- // ICU generated something that DoSimpleHost didn't think looked like -- // ASCII. This is quite rare, but ICU might convert some characters to -- // percent signs which might generate new escape sequences which might in -- // turn be invalid. An example is U+FE6A "small percent" which ICU will -- // name prep into an ASCII percent and then we can interpret the following -- // characters as escaped characters. -- // -- // If DoSimpleHost didn't think the output was ASCII, just escape the -- // thing we gave ICU and give up. DoSimpleHost will have handled a further -- // level of escaping from ICU for simple ASCII cases (i.e. if ICU generates -- // a new escaped ASCII sequence like "%41" we'll unescape it) but it won't -- // do more (like handle escaped non-ASCII sequences). Handling the escaped -- // ASCII isn't strictly necessary, but DoSimpleHost handles this case -- // anyway so we handle it/ -- output->set_length(original_output_len); -- AppendInvalidNarrowString(wide_output.data(), 0, wide_output.length(), -- output); -- return false; -- } -- return success; -+ return false; - } - - // 8-bit convert host to its ASCII version: this converts the UTF-8 input to - ++ ++cc_library( ++ name = "envoy_url", ++ srcs = [ ++ "url_canon.cc", ++ "url_canon_internal.cc", ++ "url_canon_path.cc", ++ "url_canon_stdstring.cc", ++ ], ++ hdrs = [ ++ "third_party/mozilla/url_parse.h", ++ "url_canon.h", ++ "url_canon_internal.h", ++ "url_canon_stdstring.h", ++ "url_parse_internal.h", ++ ], ++ copts = build_config.default_copts, ++ visibility = ["//visibility:public"], ++ deps = [ ++ "//base", ++ "//base/strings", ++ "//polyfills", ++ ] ++) diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 32c9eb4196cc8..fbee3008700c3 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -691,10 +691,6 @@ def _com_googlesource_googleurl(): patches = ["@envoy//bazel/external:googleurl.patch"], patch_args = ["-p1"], ) - native.bind( - name = "googleurl", - actual = "@com_googlesource_googleurl//url:url", - ) def _org_llvm_releases_compiler_rt(): external_http_archive( diff --git a/ci/do_ci.sh b/ci/do_ci.sh index b1bf689333348..52e03bf87e17f 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -450,7 +450,7 @@ elif [[ "$CI_TARGET" == "verify_examples" ]]; then export DOCKER_NO_PULL=1 umask 027 chmod -R o-rwx examples/ - ci/verify_examples.sh + ci/verify_examples.sh "*" wasm-cc exit 0 else echo "Invalid do_ci.sh target, see ci/README.md for valid targets." diff --git a/ci/verify_examples.sh b/ci/verify_examples.sh index 974e46b7ad898..8f78d54e1a297 100755 --- a/ci/verify_examples.sh +++ b/ci/verify_examples.sh @@ -1,10 +1,10 @@ #!/bin/bash -E TESTFILTER="${1:-*}" +TESTEXCLUDES="${2}" FAILED=() SRCDIR="${SRCDIR:-$(pwd)}" - trap_errors () { local frame=0 command line sub file if [[ -n "$example" ]]; then @@ -29,7 +29,7 @@ trap exit 1 INT run_examples () { local examples example cd "${SRCDIR}/examples" || exit 1 - examples=$(find . -mindepth 1 -maxdepth 1 -type d -name "$TESTFILTER" ! -iname "_*" | sort) + examples=$(find . -mindepth 1 -maxdepth 1 -type d -name "$TESTFILTER" ! -iname "_*" ! -name "$TESTEXCLUDES" | sort) for example in $examples; do pushd "$example" > /dev/null || return 1 ./verify.sh diff --git a/docs/root/intro/arch_overview/security/threat_model.rst b/docs/root/intro/arch_overview/security/threat_model.rst index f0e4713e672be..553550023f050 100644 --- a/docs/root/intro/arch_overview/security/threat_model.rst +++ b/docs/root/intro/arch_overview/security/threat_model.rst @@ -56,16 +56,11 @@ Data and control plane ---------------------- We divide our threat model into data and control plane, reflecting the internal division in Envoy of -these concepts from an architectural perspective. Our highest priority in risk assessment is the -threat posed by untrusted downstream client traffic on the data plane. This reflects the use of -Envoy in an edge serving capacity and also the use of Envoy as an inbound destination in a service -mesh deployment. - -In addition, we have an evolving position towards any vulnerability that might be exploitable by -untrusted upstreams. We recognize that these constitute a serious security consideration, given the -use of Envoy as an egress proxy. We will activate the security release process for disclosures that -appear to present a risk profile that is significantly greater than the current Envoy upstream -hardening status quo. +these concepts from an architectural perspective. Envoy's core components are considered to be hardened +against both untrusted downstream and upstream peers. As such our highest priority in risk assessment is the +threat posed by untrusted downstream client or untrusted upstream server traffic on the data plane. This +reflects the use of Envoy in an edge serving capacity and also the use of Envoy as a networking component in a +service mesh deployment with unstrusted services. The control plane management server is generally trusted. We do not consider wire-level exploits against the xDS transport protocol to be a concern as a result. However, the configuration delivered diff --git a/source/common/http/BUILD b/source/common/http/BUILD index 44cb4ef68b76d..fe3b593396874 100644 --- a/source/common/http/BUILD +++ b/source/common/http/BUILD @@ -436,13 +436,13 @@ envoy_cc_library( hdrs = ["path_utility.h"], external_deps = [ "abseil_optional", - "googleurl", ], deps = [ ":legacy_path_canonicalizer", "//include/envoy/http:header_map_interface", "//source/common/common:logger_lib", "//source/common/runtime:runtime_features_lib", + "@com_googlesource_googleurl//url:envoy_url", ], )