sync from master.

bazel/external/googleurl.patch

@@ -56,107 +56,34 @@ index 0cd36dc..8c4cbd4 100644
 # https://github.com/envoyproxy/envoy/issues/14743.
 
 diff --git a/url/BUILD b/url/BUILD
-index f2ec8da..714f90e 100644
+index f2ec8da..4e2d55b 100644
 --- a/url/BUILD
 +++ b/url/BUILD
-@@ -7,7 +7,6 @@ load("@rules_cc//cc:defs.bzl", "cc_library")
- cc_library(
-     name = "url",
-     srcs = [
--        "gurl.cc",
-         "third_party/mozilla/url_parse.cc",
-         "url_canon.cc",
-         "url_canon_etc.cc",
-@@ -26,17 +25,14 @@ cc_library(
-         "url_canon_stdstring.cc",
-         "url_canon_stdurl.cc",
-         "url_constants.cc",
--        "url_idna_icu.cc",
-         "url_parse_file.cc",
-         "url_parse_internal.h",
-         "url_util.cc",
-         "url_util_internal.h",
-     ],
-     hdrs = [
--        "gurl.h",
-         "third_party/mozilla/url_parse.h",
-         "url_canon.h",
--        "url_canon_icu.h",
-         "url_canon_ip.h",
-         "url_canon_stdstring.h",
-         "url_constants.h",
-@@ -44,11 +40,10 @@ cc_library(
-         "url_util.h",
-     ],
-     copts = build_config.default_copts,
--    linkopts = build_config.url_linkopts,
-     visibility = ["//visibility:public"],
-     deps = [
-         "//base",
-         "//base/strings",
+@@ -52,3 +52,27 @@ cc_library(
          "//polyfills",
--    ] + build_config.icuuc_deps,
-+    ]
+     ] + build_config.icuuc_deps,
  )
-diff --git a/url/url_canon_host.cc b/url/url_canon_host.cc
-index 28a7c38..dd18acf 100644
---- a/url/url_canon_host.cc
-+++ b/url/url_canon_host.cc
-@@ -175,55 +175,7 @@ bool DoSimpleHost(const INCHAR* host,
-
- // Canonicalizes a host that requires IDN conversion. Returns true on success
- bool DoIDNHost(const gurl_base::char16* src, int src_len, CanonOutput* output) {
--  int original_output_len = output->length();  // So we can rewind below.
--
--  // We need to escape URL before doing IDN conversion, since punicode strings
--  // cannot be escaped after they are created.
--  RawCanonOutputW<kTempHostBufferLen> url_escaped_host;
--  bool has_non_ascii;
--  DoSimpleHost(src, src_len, &url_escaped_host, &has_non_ascii);
--  if (url_escaped_host.length() > kMaxHostBufferLength) {
--    AppendInvalidNarrowString(src, 0, src_len, output);
--    return false;
--  }
--
--  StackBufferW wide_output;
--  if (!IDNToASCII(url_escaped_host.data(),
--                  url_escaped_host.length(),
--                  &wide_output)) {
--    // Some error, give up. This will write some reasonable looking
--    // representation of the string to the output.
--    AppendInvalidNarrowString(src, 0, src_len, output);
--    return false;
--  }
--
--  // Now we check the ASCII output like a normal host. It will also handle
--  // unescaping. Although we unescaped everything before this function call, if
--  // somebody does %00 as fullwidth, ICU will convert this to ASCII.
--  bool success = DoSimpleHost(wide_output.data(),
--                              wide_output.length(),
--                              output, &has_non_ascii);
--  if (has_non_ascii) {
--    // ICU generated something that DoSimpleHost didn't think looked like
--    // ASCII. This is quite rare, but ICU might convert some characters to
--    // percent signs which might generate new escape sequences which might in
--    // turn be invalid. An example is U+FE6A "small percent" which ICU will
--    // name prep into an ASCII percent and then we can interpret the following
--    // characters as escaped characters.
--    //
--    // If DoSimpleHost didn't think the output was ASCII, just escape the
--    // thing we gave ICU and give up. DoSimpleHost will have handled a further
--    // level of escaping from ICU for simple ASCII cases (i.e. if ICU generates
--    // a new escaped ASCII sequence like "%41" we'll unescape it) but it won't
--    // do more (like handle escaped non-ASCII sequences). Handling the escaped
--    // ASCII isn't strictly necessary, but DoSimpleHost handles this case
--    // anyway so we handle it/
--    output->set_length(original_output_len);
--    AppendInvalidNarrowString(wide_output.data(), 0, wide_output.length(),
--                              output);
--    return false;
--  }
--  return success;
-+  return false;
- }
-
- // 8-bit convert host to its ASCII version: this converts the UTF-8 input to
-
++
++cc_library(
++    name = "envoy_url",
++    srcs = [
++       "url_canon.cc",
++       "url_canon_internal.cc",
++       "url_canon_path.cc",
++       "url_canon_stdstring.cc",
++    ],
++    hdrs = [
++       "third_party/mozilla/url_parse.h",
++       "url_canon.h",
++       "url_canon_internal.h",
++       "url_canon_stdstring.h",
++       "url_parse_internal.h",
++    ],
++    copts = build_config.default_copts,
++    visibility = ["//visibility:public"],
++    deps = [
++       "//base",
++       "//base/strings",
++       "//polyfills",
++    ]
++)

bazel/repositories.bzl

@@ -691,10 +691,6 @@ def _com_googlesource_googleurl():
         patches = ["@envoy//bazel/external:googleurl.patch"],
         patch_args = ["-p1"],
     )
-    native.bind(
-        name = "googleurl",
-        actual = "@com_googlesource_googleurl//url:url",
-    )
 
 def _org_llvm_releases_compiler_rt():
     external_http_archive(

ci/do_ci.sh

@@ -450,7 +450,7 @@ elif [[ "$CI_TARGET" == "verify_examples" ]]; then
   export DOCKER_NO_PULL=1
   umask 027
   chmod -R o-rwx examples/
-  ci/verify_examples.sh
+  ci/verify_examples.sh "*" wasm-cc
   exit 0
 else
   echo "Invalid do_ci.sh target, see ci/README.md for valid targets."

ci/verify_examples.sh

@@ -1,10 +1,10 @@
 #!/bin/bash -E
 
 TESTFILTER="${1:-*}"
+TESTEXCLUDES="${2}"
 FAILED=()
 SRCDIR="${SRCDIR:-$(pwd)}"
 
-
 trap_errors () {
     local frame=0 command line sub file
     if [[ -n "$example" ]]; then
@@ -29,7 +29,7 @@ trap exit 1 INT
 run_examples () {
     local examples example
     cd "${SRCDIR}/examples" || exit 1
-    examples=$(find . -mindepth 1 -maxdepth 1 -type d -name "$TESTFILTER" ! -iname "_*" | sort)
+    examples=$(find . -mindepth 1 -maxdepth 1 -type d -name "$TESTFILTER" ! -iname "_*" ! -name "$TESTEXCLUDES" | sort)
     for example in $examples; do
         pushd "$example" > /dev/null || return 1
         ./verify.sh

docs/root/intro/arch_overview/security/threat_model.rst

@@ -56,16 +56,11 @@ Data and control plane
 ----------------------
 
 We divide our threat model into data and control plane, reflecting the internal division in Envoy of
-these concepts from an architectural perspective. Our highest priority in risk assessment is the
-threat posed by untrusted downstream client traffic on the data plane. This reflects the use of
-Envoy in an edge serving capacity and also the use of Envoy as an inbound destination in a service
-mesh deployment.
-
-In addition, we have an evolving position towards any vulnerability that might be exploitable by
-untrusted upstreams. We recognize that these constitute a serious security consideration, given the
-use of Envoy as an egress proxy. We will activate the security release process for disclosures that
-appear to present a risk profile that is significantly greater than the current Envoy upstream
-hardening status quo.
+these concepts from an architectural perspective. Envoy's core components are considered to be hardened
+against both untrusted downstream and upstream peers. As such our highest priority in risk assessment is the
+threat posed by untrusted downstream client or untrusted upstream server traffic on the data plane. This
+reflects the use of Envoy in an edge serving capacity and also the use of Envoy as a networking component in a
+service mesh deployment with unstrusted services.
 
 The control plane management server is generally trusted. We do not consider wire-level exploits
 against the xDS transport protocol to be a concern as a result. However, the configuration delivered

source/common/http/BUILD

@@ -436,13 +436,13 @@ envoy_cc_library(
     hdrs = ["path_utility.h"],
     external_deps = [
         "abseil_optional",
-        "googleurl",
     ],
     deps = [
         ":legacy_path_canonicalizer",
         "//include/envoy/http:header_map_interface",
         "//source/common/common:logger_lib",
         "//source/common/runtime:runtime_features_lib",
+        "@com_googlesource_googleurl//url:envoy_url",
     ],
 )