Merge remote-tracking branch 'origin/master' into udp_proxy

Signed-off-by: Matt Klein <[email protected]>

SECURITY.md

@@ -86,29 +86,11 @@ detect issues during their execution on ClusterFuzz. A soak period of 5 days pro
 guarantee, since we will invoke the security release process for medium or higher severity issues
 for these older bugs.
 
-### Confidentiality, integrity and availability
-
-We consider vulnerabilities leading to the compromise of data confidentiality or integrity to be our
-highest priority concerns. Availability, in particular in areas relating to DoS and resource
-exhaustion, is also a serious security concern for Envoy operators, in particular those utilizing
-Envoy in edge deployments.
-
-The Envoy availability stance around CPU and memory DoS, as well as Query-of-Death (QoD), is still
-evolving. We will continue to iterate and fix well known resource issues in the open, e.g. overload
-manager and watermark improvements. We will activate the security process for disclosures that
-appear to present a risk profile that is significantly greater than the current Envoy availability
-hardening status quo. Examples of disclosures that would elicit this response:
-* QoD; where a single query from a client can bring down an Envoy server.
-* Highly asymmetric resource exhaustion attacks, where very little traffic can cause resource
-  exhaustion, e.g. that delivered by a single client.
-
-Note that we do not currently consider the default settings for Envoy to be safe from an availability
-perspective. It is necessary for operators to explicitly configure watermarks, the overload manager,
-circuit breakers and other resource related features in Envoy to provide a robust availability
-story. We will not act on any security disclosure that relates to a lack of safe defaults. Over
-time, we will work towards improved safe-by-default configuration, but due to backwards
-compatibility and performance concerns, this will require following the breaking change deprecation
-policy.
+### Threat model
+
+See https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model.
+Vulnerabilities are evaluated against this threat model when deciding whether to activate the Envoy
+security release process.
 
 ### Fix Team Organization
 

api/docs/BUILD

@@ -56,11 +56,13 @@ proto_library(
         "//envoy/config/filter/network/ext_authz/v2:pkg",
         "//envoy/config/filter/network/http_connection_manager/v2:pkg",
         "//envoy/config/filter/network/mongo_proxy/v2:pkg",
+        "//envoy/config/filter/network/mysql_proxy/v1alpha1:pkg",
         "//envoy/config/filter/network/rate_limit/v2:pkg",
         "//envoy/config/filter/network/rbac/v2:pkg",
         "//envoy/config/filter/network/redis_proxy/v2:pkg",
         "//envoy/config/filter/network/tcp_proxy/v2:pkg",
         "//envoy/config/filter/network/thrift_proxy/v2alpha1:pkg",
+        "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
         "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
         "//envoy/config/filter/thrift/router/v2alpha1:pkg",
         "//envoy/config/grpc_credential/v2alpha:pkg",
@@ -72,6 +74,7 @@ proto_library(
         "//envoy/config/rbac/v2:pkg",
         "//envoy/config/resource_monitor/fixed_heap/v2alpha:pkg",
         "//envoy/config/resource_monitor/injected_resource/v2alpha:pkg",
+        "//envoy/config/retry/previous_priorities:pkg",
         "//envoy/config/trace/v2:pkg",
         "//envoy/config/transport_socket/alts/v2alpha:pkg",
         "//envoy/config/transport_socket/tap/v2alpha:pkg",

api/envoy/api/v2/route/route.proto

@@ -727,6 +727,8 @@ message RouteAction {
   oneof host_rewrite_specifier {
     // Indicates that during forwarding, the host header will be swapped with
     // this value.
+    //
+    // [#next-major-version: host_rewrite_literal]
     string host_rewrite = 6;
 
     // Indicates that during forwarding, the host header will be swapped with
@@ -744,6 +746,8 @@ message RouteAction {
     //
     //   Pay attention to the potential security implications of using this option. Provided header
     //   must come from trusted source.
+    //
+    // [#next-major-version: host_rewrite_header]
     string auto_host_rewrite_header = 29;
   }
 

api/envoy/api/v3alpha/route/route.proto

@@ -667,6 +667,8 @@ message RouteAction {
   oneof host_rewrite_specifier {
     // Indicates that during forwarding, the host header will be swapped with
     // this value.
+    //
+    // [#next-major-version: host_rewrite_literal]
     string host_rewrite = 6;
 
     // Indicates that during forwarding, the host header will be swapped with
@@ -684,6 +686,8 @@ message RouteAction {
     //
     //   Pay attention to the potential security implications of using this option. Provided header
     //   must come from trusted source.
+    //
+    // [#next-major-version: host_rewrite_header]
     string auto_host_rewrite_header = 29;
   }
 

api/envoy/config/accesslog/v2/als.proto

@@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`. This configuration will
 // populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v2.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 
@@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {
 
 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

api/envoy/config/accesslog/v2/file.proto

@@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`
 // that writes log entries directly to a file. Configures the built-in *envoy.file_access_log*

api/envoy/config/accesslog/v3alpha/als.proto

@@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>`. This configuration
 // will populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v3alpha.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 
@@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {
 
 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

api/envoy/config/accesslog/v3alpha/file.proto

@@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog
 // <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>` that writes log entries directly to a

api/envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
   // The DNS cache configuration that the cluster will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy HTTP filter configuration

api/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
   // The DNS cache configuration that the cluster will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy HTTP filter configuration

api/envoy/config/cluster/redis/redis_cluster.proto

@@ -48,6 +48,7 @@ import "validate/validate.proto";
 //         cluster_refresh_timeout: 0.5s
 //         redirect_refresh_interval: 10s
 //         redirect_refresh_threshold: 10
+// [#extension: envoy.clusters.redis]
 
 message RedisClusterConfig {
   // Interval between successive topology refresh requests. If not set, this defaults to 5s.

api/envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto

@@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]
 
 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {

api/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto

@@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]
 
 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {

api/envoy/config/filter/http/buffer/v2/buffer.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Buffer]
 // Buffer :ref:`configuration overview <config_http_filters_buffer>`.
+// [#extension: envoy.filters.http.buffer]
 
 message Buffer {
   reserved 2;

api/envoy/config/filter/http/csrf/v2/csrf.proto

@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]
 
 // CSRF filter config.
 message CsrfPolicy {

api/envoy/config/filter/http/csrf/v3alpha/csrf.proto

@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]
 
 // CSRF filter config.
 message CsrfPolicy {

api/envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
   // The DNS cache configuration that the filter will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy cluster configuration
@@ -24,8 +25,31 @@ message FilterConfig {
 
 // Per route Configuration for the dynamic forward proxy HTTP filter.
 message PerRouteConfig {
-  // Indicates that before DNS lookup, the host header will be swapped with
-  // this value. If not set or empty, the original host header value
-  // will be used and no rewrite will happen.
-  string host_rewrite = 1;
+  oneof host_rewrite_specifier {
+    // Indicates that before DNS lookup, the host header will be swapped with
+    // this value. If not set or empty, the original host header value
+    // will be used and no rewrite will happen.
+    //
+    // Note: this rewrite affects both DNS lookup and host header forwarding. However, this
+    // option shouldn't be used with
+    // :ref:`HCM host rewrite <envoy_api_field_route.RouteAction.host_rewrite>` given that the
+    // value set here would be used for DNS lookups whereas the value set in the HCM would be used
+    // for host header forwarding which is not the desired outcome.
+    //
+    // [#next-major-version: host_rewrite_literal]
+    string host_rewrite = 1;
+
+    // Indicates that before DNS lookup, the host header will be swapped with
+    // the value of this header. If not set or empty, the original host header
+    // value will be used and no rewrite will happen.
+    //
+    // Note: this rewrite affects both DNS lookup and host header forwarding. However, this
+    // option shouldn't be used with
+    // :ref:`HCM host rewrite header <envoy_api_field_route.RouteAction.auto_host_rewrite_header>`
+    // given that the value set here would be used for DNS lookups whereas the value set in the HCM
+    // would be used for host header forwarding which is not the desired outcome.
+    //
+    // [#next-major-version: host_rewrite_header]
+    string auto_host_rewrite_header = 2;
+  }
 }

api/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
   // The DNS cache configuration that the filter will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy cluster configuration
@@ -24,8 +25,32 @@ message FilterConfig {
 
 // Per route Configuration for the dynamic forward proxy HTTP filter.
 message PerRouteConfig {
-  // Indicates that before DNS lookup, the host header will be swapped with
-  // this value. If not set or empty, the original host header value
-  // will be used and no rewrite will happen.
-  string host_rewrite = 1;
+  oneof host_rewrite_specifier {
+    // Indicates that before DNS lookup, the host header will be swapped with
+    // this value. If not set or empty, the original host header value
+    // will be used and no rewrite will happen.
+    //
+    // Note: this rewrite affects both DNS lookup and host header forwarding. However, this
+    // option shouldn't be used with
+    // :ref:`HCM host rewrite <envoy_api_field_api.v3alpha.route.RouteAction.host_rewrite>` given
+    // that the value set here would be used for DNS lookups whereas the value set in the HCM would
+    // be used for host header forwarding which is not the desired outcome.
+    //
+    // [#next-major-version: host_rewrite_literal]
+    string host_rewrite = 1;
+
+    // Indicates that before DNS lookup, the host header will be swapped with
+    // the value of this header. If not set or empty, the original host header
+    // value will be used and no rewrite will happen.
+    //
+    // Note: this rewrite affects both DNS lookup and host header forwarding. However, this
+    // option shouldn't be used with
+    // :ref:`HCM host rewrite header
+    // <envoy_api_field_api.v3alpha.route.RouteAction.auto_host_rewrite_header>` given that the
+    // value set here would be used for DNS lookups whereas the value set in the HCM would be used
+    // for host header forwarding which is not the desired outcome.
+    //
+    // [#next-major-version: host_rewrite_header]
+    string auto_host_rewrite_header = 2;
+  }
 }

api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -16,8 +16,9 @@ import "validate/validate.proto";
 
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message ExtAuthz {
   // External authorization service configuration.
   oneof services {
@@ -90,6 +91,12 @@ message ExtAuthz {
   //
   // If this field is not specified, the filter will be enabled for all requests.
   api.v2.core.RuntimeFractionalPercent filter_enabled = 9;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v2.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 10;
 }
 
 // Configuration for buffering the request data.

api/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto

@@ -16,8 +16,9 @@ import "validate/validate.proto";
 
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message ExtAuthz {
   reserved 4;
 
@@ -88,6 +89,12 @@ message ExtAuthz {
   //
   // If this field is not specified, the filter will be enabled for all requests.
   api.v3alpha.core.RuntimeFractionalPercent filter_enabled = 9;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v3alpha.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 10;
 }
 
 // Configuration for buffering the request data.

api/envoy/config/filter/http/fault/v2/fault.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]
 
 message FaultAbort {
   reserved 1;

api/envoy/config/filter/http/fault/v3alpha/fault.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]
 
 message FaultAbort {
   reserved 1;

api/envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto

@@ -11,6 +11,7 @@ import "validate/validate.proto";
 // [#protodoc-title: gRPC HTTP/1.1 Reverse Bridge]
 // gRPC HTTP/1.1 Reverse Bridge :ref:`configuration overview
 // <config_http_filters_grpc_http1_reverse_bridge>`.
+// [#extension: envoy.filters.http.grpc_http1_reverse_bridge]
 
 // gRPC reverse bridge filter configuration
 message FilterConfig {

api/envoy/config/filter/http/grpc_stats/v2alpha/config.proto

@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: gRPC statistics] gRPC statistics filter
 // :ref:`configuration overview <config_http_filters_grpc_stats>`.
+// [#extension: envoy.filters.http.grpc_stats]
 
 // gRPC statistics filter configuration
 message FilterConfig {

api/envoy/config/filter/http/gzip/v2/gzip.proto

@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Gzip]
 // Gzip :ref:`configuration overview <config_http_filters_gzip>`.
+// [#extension: envoy.filters.http.gzip]
 
 // [#next-free-field: 10]
 message Gzip {

api/envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto

@@ -14,6 +14,7 @@ import "validate/validate.proto";
 // for matching load balancer subsets, logging, etc.
 //
 // Header to Metadata :ref:`configuration overview <config_http_filters_header_to_metadata>`.
+// [#extension: envoy.filters.http.header_to_metadata]
 
 message Config {
   enum ValueType {

api/envoy/config/filter/http/health_check/v2/health_check.proto

@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]
 
 // [#next-free-field: 6]
 message HealthCheck {