security: document threat model. (#8906)

* Add an explicit threat model to the end user facing docs, link to this from SECURITY.md

* Switch all Envoy extensions to use a new macro `envoy_cc_extension`, mandating that extensions declare a security posture. Extensions can also optionally declare `alpha` or `wip` status.

* Tag all documentation sites with their well-known Envoy names.

* Introduce tooling to automagically populate a list of known trusted/untrusted extensions in the threat model docs.

* Generate API docs for extensions that depend on `google.protobuf.Empty`. This pattern is deprecated as per #8933, but we need these for tooling support meanwhile.

This work was motivated by oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18370

Signed-off-by: Harvey Tuch <[email protected]>

SECURITY.md

@@ -86,29 +86,11 @@ detect issues during their execution on ClusterFuzz. A soak period of 5 days pro
 guarantee, since we will invoke the security release process for medium or higher severity issues
 for these older bugs.
 
-### Confidentiality, integrity and availability
-
-We consider vulnerabilities leading to the compromise of data confidentiality or integrity to be our
-highest priority concerns. Availability, in particular in areas relating to DoS and resource
-exhaustion, is also a serious security concern for Envoy operators, in particular those utilizing
-Envoy in edge deployments.
-
-The Envoy availability stance around CPU and memory DoS, as well as Query-of-Death (QoD), is still
-evolving. We will continue to iterate and fix well known resource issues in the open, e.g. overload
-manager and watermark improvements. We will activate the security process for disclosures that
-appear to present a risk profile that is significantly greater than the current Envoy availability
-hardening status quo. Examples of disclosures that would elicit this response:
-* QoD; where a single query from a client can bring down an Envoy server.
-* Highly asymmetric resource exhaustion attacks, where very little traffic can cause resource
-  exhaustion, e.g. that delivered by a single client.
-
-Note that we do not currently consider the default settings for Envoy to be safe from an availability
-perspective. It is necessary for operators to explicitly configure watermarks, the overload manager,
-circuit breakers and other resource related features in Envoy to provide a robust availability
-story. We will not act on any security disclosure that relates to a lack of safe defaults. Over
-time, we will work towards improved safe-by-default configuration, but due to backwards
-compatibility and performance concerns, this will require following the breaking change deprecation
-policy.
+### Threat model
+
+See https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model.
+Vulnerabilities are evaluated against this threat model when deciding whether to activate the Envoy
+security release process.
 
 ### Fix Team Organization
 

api/docs/BUILD

@@ -56,11 +56,13 @@ proto_library(
         "//envoy/config/filter/network/ext_authz/v2:pkg",
         "//envoy/config/filter/network/http_connection_manager/v2:pkg",
         "//envoy/config/filter/network/mongo_proxy/v2:pkg",
+        "//envoy/config/filter/network/mysql_proxy/v1alpha1:pkg",
         "//envoy/config/filter/network/rate_limit/v2:pkg",
         "//envoy/config/filter/network/rbac/v2:pkg",
         "//envoy/config/filter/network/redis_proxy/v2:pkg",
         "//envoy/config/filter/network/tcp_proxy/v2:pkg",
         "//envoy/config/filter/network/thrift_proxy/v2alpha1:pkg",
+        "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
         "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
         "//envoy/config/filter/thrift/router/v2alpha1:pkg",
         "//envoy/config/grpc_credential/v2alpha:pkg",
@@ -72,6 +74,7 @@ proto_library(
         "//envoy/config/rbac/v2:pkg",
         "//envoy/config/resource_monitor/fixed_heap/v2alpha:pkg",
         "//envoy/config/resource_monitor/injected_resource/v2alpha:pkg",
+        "//envoy/config/retry/previous_priorities:pkg",
         "//envoy/config/trace/v2:pkg",
         "//envoy/config/transport_socket/alts/v2alpha:pkg",
         "//envoy/config/transport_socket/tap/v2alpha:pkg",

api/envoy/config/accesslog/v2/als.proto

@@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`. This configuration will
 // populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v2.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 
@@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {
 
 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

api/envoy/config/accesslog/v2/file.proto

@@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`
 // that writes log entries directly to a file. Configures the built-in *envoy.file_access_log*

api/envoy/config/accesslog/v3alpha/als.proto

@@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>`. This configuration
 // will populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v3alpha.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 
@@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {
 
 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

api/envoy/config/accesslog/v3alpha/file.proto

@@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog
 // <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>` that writes log entries directly to a

api/envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
   // The DNS cache configuration that the cluster will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy HTTP filter configuration

api/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
   // The DNS cache configuration that the cluster will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy HTTP filter configuration

api/envoy/config/cluster/redis/redis_cluster.proto

@@ -48,6 +48,7 @@ import "validate/validate.proto";
 //         cluster_refresh_timeout: 0.5s
 //         redirect_refresh_interval: 10s
 //         redirect_refresh_threshold: 10
+// [#extension: envoy.clusters.redis]
 
 message RedisClusterConfig {
   // Interval between successive topology refresh requests. If not set, this defaults to 5s.

api/envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto

@@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]
 
 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {

api/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto

@@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]
 
 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {

api/envoy/config/filter/http/buffer/v2/buffer.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Buffer]
 // Buffer :ref:`configuration overview <config_http_filters_buffer>`.
+// [#extension: envoy.filters.http.buffer]
 
 message Buffer {
   reserved 2;

api/envoy/config/filter/http/csrf/v2/csrf.proto

@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]
 
 // CSRF filter config.
 message CsrfPolicy {

api/envoy/config/filter/http/csrf/v3alpha/csrf.proto

@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]
 
 // CSRF filter config.
 message CsrfPolicy {

api/envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
   // The DNS cache configuration that the filter will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy cluster configuration

api/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
   // The DNS cache configuration that the filter will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy cluster configuration

api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]
 
 // [#next-free-field: 11]
 message ExtAuthz {

api/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]
 
 // [#next-free-field: 11]
 message ExtAuthz {

api/envoy/config/filter/http/fault/v2/fault.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]
 
 message FaultAbort {
   reserved 1;

api/envoy/config/filter/http/fault/v3alpha/fault.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]
 
 message FaultAbort {
   reserved 1;

api/envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto

@@ -11,6 +11,7 @@ import "validate/validate.proto";
 // [#protodoc-title: gRPC HTTP/1.1 Reverse Bridge]
 // gRPC HTTP/1.1 Reverse Bridge :ref:`configuration overview
 // <config_http_filters_grpc_http1_reverse_bridge>`.
+// [#extension: envoy.filters.http.grpc_http1_reverse_bridge]
 
 // gRPC reverse bridge filter configuration
 message FilterConfig {

api/envoy/config/filter/http/grpc_stats/v2alpha/config.proto

@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: gRPC statistics] gRPC statistics filter
 // :ref:`configuration overview <config_http_filters_grpc_stats>`.
+// [#extension: envoy.filters.http.grpc_stats]
 
 // gRPC statistics filter configuration
 message FilterConfig {

api/envoy/config/filter/http/gzip/v2/gzip.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Gzip]
 // Gzip :ref:`configuration overview <config_http_filters_gzip>`.
+// [#extension: envoy.filters.http.gzip]
 
 // [#next-free-field: 10]
 message Gzip {

api/envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 // for matching load balancer subsets, logging, etc.
 //
 // Header to Metadata :ref:`configuration overview <config_http_filters_header_to_metadata>`.
+// [#extension: envoy.filters.http.header_to_metadata]
 
 message Config {
   enum ValueType {

api/envoy/config/filter/http/health_check/v2/health_check.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]
 
 // [#next-free-field: 6]
 message HealthCheck {

api/envoy/config/filter/http/health_check/v3alpha/health_check.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]
 
 // [#next-free-field: 6]
 message HealthCheck {

api/envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: IP tagging]
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
+// [#extension: envoy.filters.http.ip_tagging]
 
 message IPTagging {
   // The type of requests the filter should apply to. The supported types

api/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: IP tagging]
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
+// [#extension: envoy.filters.http.ip_tagging]
 
 message IPTagging {
   // The type of requests the filter should apply to. The supported types

api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto

@@ -17,6 +17,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: JWT Authentication]
 // JWT Authentication :ref:`configuration overview <config_http_filters_jwt_authn>`.
+// [#extension: envoy.filters.http.jwt_authn]
 
 // Please see following for JWT authentication flow:
 //

api/envoy/config/filter/http/jwt_authn/v3alpha/config.proto

@@ -17,6 +17,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: JWT Authentication]
 // JWT Authentication :ref:`configuration overview <config_http_filters_jwt_authn>`.
+// [#extension: envoy.filters.http.jwt_authn]
 
 // Please see following for JWT authentication flow:
 //

api/envoy/config/filter/http/lua/v2/lua.proto

@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Lua]
 // Lua :ref:`configuration overview <config_http_filters_lua>`.
+// [#extension: envoy.filters.http.lua]
 
 message Lua {
   // The Lua code that Envoy will execute. This can be a very small script that

api/envoy/config/filter/http/original_src/v2alpha1/original_src.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 // The Original Src filter binds upstream connections to the original source address determined
 // for the request. This address could come from something like the Proxy Protocol filter, or it
 // could come from trusted http headers.
+// [#extension: envoy.filters.http.original_src]
 message OriginalSrc {
   // Sets the SO_MARK option on the upstream connection's socket to the provided value. Used to
   // ensure that non-local addresses may be routed back through envoy when binding to the original

api/envoy/config/filter/http/rate_limit/v2/rate_limit.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]
 
 // [#next-free-field: 8]
 message RateLimit {

api/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]
 
 // [#next-free-field: 8]
 message RateLimit {

api/envoy/config/filter/http/rbac/v2/rbac.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
+// [#extension: envoy.filters.http.rbac]
 
 // RBAC filter config.
 message RBAC {

api/envoy/config/filter/http/rbac/v3alpha/rbac.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
+// [#extension: envoy.filters.http.rbac]
 
 // RBAC filter config.
 message RBAC {

api/envoy/config/filter/http/router/v2/router.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Router]
 // Router :ref:`configuration overview <config_http_filters_router>`.
+// [#extension: envoy.filters.http.router]
 
 // [#next-free-field: 7]
 message Router {

api/envoy/config/filter/http/router/v3alpha/router.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Router]
 // Router :ref:`configuration overview <config_http_filters_router>`.
+// [#extension: envoy.filters.http.router]
 
 // [#next-free-field: 7]
 message Router {

api/envoy/config/filter/http/squash/v2/squash.proto

@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Squash]
 // Squash :ref:`configuration overview <config_http_filters_squash>`.
+// [#extension: envoy.filters.http.squash]
 
 // [#next-free-field: 6]
 message Squash {

api/envoy/config/filter/http/tap/v2alpha/tap.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Tap]
 // Tap :ref:`configuration overview <config_http_filters_tap>`.
+// [#extension: envoy.filters.http.tap]
 
 // Top level configuration for the tap filter.
 message Tap {

api/envoy/config/filter/http/tap/v3alpha/tap.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Tap]
 // Tap :ref:`configuration overview <config_http_filters_tap>`.
+// [#extension: envoy.filters.http.tap]
 
 // Top level configuration for the tap filter.
 message Tap {

api/envoy/config/filter/http/transcoder/v2/transcoder.proto

@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: gRPC-JSON transcoder]
 // gRPC-JSON transcoder :ref:`configuration overview <config_http_filters_grpc_json_transcoder>`.
+// [#extension: envoy.filters.http.grpc_json_transcoder]
 
 // [#next-free-field: 10]
 message GrpcJsonTranscoder {