Merge remote-tracking branch 'upstream/main' into add_allocz

Change-Id: I01c7438041172d42a31d1dcfb57d33964678f376

.azure-pipelines/pipelines.yml

@@ -3,9 +3,6 @@ trigger:
     include:
     - "main"
     - "release/v*"
-  tags:
-    include:
-    - "v*"
 
 
 # PR build config is manually overridden in Azure pipelines UI with different secrets

.azure-pipelines/stages.yml

@@ -63,6 +63,7 @@ stages:
       authGPGPath: $(MaintainerGPGKey.secureFilePath)
       bucketGCP: $(GcsArtifactBucket)
       publishGithubRelease: variables['PUBLISH_GITHUB_RELEASE']
+      runBuild: stageDependencies.env.repo.outputs['run.releaseTests']
       runPrechecks: stageDependencies.env.repo.outputs['run.releaseTests']
 
 - stage: check

.bazelrc

@@ -25,6 +25,7 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
+build --incompatible_merge_fixed_and_default_shell_env
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.

.github/workflows/codeql-daily.yml

@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -73,4 +73,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7

.github/workflows/codeql-push.yml

@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
       with:
         languages: cpp
 
@@ -108,4 +108,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93  # v3.26.6
+      uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
       with:
         sarif_file: results.sarif

OWNERS.md

@@ -76,7 +76,6 @@ without further review.
 
 * All senior maintainers
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) ([email protected])
-* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) ([email protected])
 * Tim Walsh ([twghu](https://github.com/twghu)) ([email protected])
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) ([email protected])
 * Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) ([email protected])

RELEASES.md

@@ -138,6 +138,6 @@ Security releases are published on a 3-monthly cycle, around the mid point betwe
 | Quarter |  Expected  |   Actual   | Difference |
 |:-------:|:----------:|:----------:|:----------:|
 | 2024 Q2 | 2024/06/04 | 2024/06/04 |   0 days   |
-| 2024 Q3 | 2024/09/03 |
+| 2024 Q3 | 2024/09/03 | 2024/09/19 |  16 days   |
 
 NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.

api/bazel/repository_locations.bzl

@@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Google APIs",
         project_desc = "Public interface definitions of Google APIs",
         project_url = "https://github.com/googleapis/googleapis",
-        version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
-        sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
-        release_date = "2023-01-10",
+        version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
+        sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
+        release_date = "2024-09-16",
         strip_prefix = "googleapis-{version}",
         urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/listener/v3/quic_config.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -94,4 +94,9 @@ message QuicProtocolOptions {
   // If not specified, no cmsg will be saved to QuicReceivedPacket.
   repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
       [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }

api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto

@@ -41,6 +41,12 @@ message BasicAuth {
   // If it is not specified, the username will not be forwarded.
   string forward_username_header = 2
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+  // This field specifies the request header to load the basic credential from.
+  //
+  // If it is not specified, the filter loads the credential from  the "Authorization" header.
+  string authentication_header = 3
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }
 
 // Extra settings that may be added to per-route configuration for

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -27,7 +27,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#next-free-field: 6]
 message OAuth2Credentials {
-  // [#next-free-field: 6]
+  // [#next-free-field: 7]
   message CookieNames {
     // Cookie name to hold OAuth bearer token value. When the authentication server validates the
     // client and returns an authorization token back to the OAuth filter, no matter what format
@@ -52,6 +52,10 @@ message OAuth2Credentials {
     // Cookie name to hold the refresh token. Defaults to ``RefreshToken``.
     string refresh_token = 5
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // Cookie name to hold the nonce value. Defaults to ``OauthNonce``.
+    string oauth_nonce = 6
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
   }
 
   // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -684,6 +684,34 @@ message HttpConnectionManager {
   // purposes. If unspecified, only RFC1918 IP addresses will be considered internal.
   // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more
   // information about internal/external addresses.
+  //
+  // .. warning::
+  //     In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
+  //     on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
+  //     you will have to manually include those addresses or CIDR ranges like:
+  //
+  // .. validated-code-block:: yaml
+  //   :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig
+  //
+  //   cidr_ranges:
+  //       address_prefix: 10.0.0.0
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: 192.168.0.0
+  //       prefix_len: 16
+  //   cidr_ranges:
+  //       address_prefix: 172.16.0.0
+  //       prefix_len: 12
+  //   cidr_ranges:
+  //       address_prefix: 127.0.0.1
+  //       prefix_len: 32
+  //   cidr_ranges:
+  //       address_prefix: fd00::
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: ::1
+  //       prefix_len: 128
+  //
   InternalAddressConfig internal_address_config = 25;
 
   // If set, Envoy will not append the remote address to the

bazel/EXTERNAL_DEPS.md

@@ -16,7 +16,7 @@ build process.
 1. Define a new Bazel repository in [`bazel/repositories.bzl`](repositories.bzl),
    in the `envoy_dependencies()` function.
 2. Reference your new external dependency in some `envoy_cc_library` via the
-   `external_deps` attribute.
+   `deps` attribute.
 3. `bazel test //test/...`
 
 ## External CMake (preferred)
@@ -28,7 +28,7 @@ This is the preferred style of adding dependencies that use CMake for their buil
 2. Add an `envoy_cmake` rule to [`bazel/foreign_cc/BUILD`](foreign_cc/BUILD). This will reference
    the source repository in step 1.
 3. Reference your new external dependency in some `envoy_cc_library` via the name bound in step 1
-   `external_deps` attribute.
+   `deps` attribute.
 4. `bazel test //test/...`
 
 # Adding external dependencies to Envoy (Python)

bazel/dependency_imports.bzl

@@ -18,7 +18,7 @@ load("@rules_rust//rust:defs.bzl", "rust_common")
 load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains", "rust_repository_set")
 
 # go version for rules_go
-GO_VERSION = "1.22.5"
+GO_VERSION = "1.23.1"
 
 JQ_VERSION = "1.7"
 YQ_VERSION = "4.24.4"

bazel/envoy_build_system.bzl

@@ -211,13 +211,13 @@ def envoy_proto_descriptor(name, out, srcs = [], external_deps = []):
     options.extend(["-I" + include_path for include_path in include_paths])
     options.append("--descriptor_set_out=$@")
 
-    cmd = "$(location //external:protoc) " + " ".join(options + input_files)
+    cmd = "$(location @com_google_protobuf//:protoc) " + " ".join(options + input_files)
     native.genrule(
         name = name,
         srcs = srcs,
         outs = [out],
         cmd = cmd,
-        tools = ["//external:protoc"],
+        tools = ["@com_google_protobuf//:protoc"],
     )
 
 # Dependencies on Google grpc should be wrapped with this function.

bazel/envoy_internal.bzl

@@ -166,15 +166,15 @@ def tcmalloc_external_dep(repository):
         repository + "//bazel:disable_tcmalloc": None,
         repository + "//bazel:disable_tcmalloc_on_linux_x86_64": None,
         repository + "//bazel:disable_tcmalloc_on_linux_aarch64": None,
-        repository + "//bazel:debug_tcmalloc": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:linux_x86_64": envoy_external_dep_path("tcmalloc"),
-        repository + "//bazel:linux_aarch64": envoy_external_dep_path("tcmalloc"),
-        "//conditions:default": envoy_external_dep_path("gperftools"),
+        repository + "//bazel:debug_tcmalloc": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:linux_x86_64": "@com_github_google_tcmalloc//tcmalloc",
+        repository + "//bazel:linux_aarch64": "@com_github_google_tcmalloc//tcmalloc",
+        "//conditions:default": repository + "//bazel/foreign_cc:gperftools",
     })
 
 # Select the given values if default path normalization is on in the current build.

bazel/envoy_library.bzl

@@ -24,23 +24,23 @@ def tcmalloc_external_deps(repository):
         repository + "//bazel:disable_tcmalloc": [],
         repository + "//bazel:disable_tcmalloc_on_linux_x86_64": [],
         repository + "//bazel:disable_tcmalloc_on_linux_aarch64": [],
-        repository + "//bazel:debug_tcmalloc": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:gperftools_tcmalloc": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": [envoy_external_dep_path("gperftools")],
+        repository + "//bazel:debug_tcmalloc": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:gperftools_tcmalloc": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": [repository + "//bazel/foreign_cc:gperftools"],
         repository + "//bazel:linux_x86_64": [
-            envoy_external_dep_path("tcmalloc"),
-            envoy_external_dep_path("tcmalloc_profile_marshaler"),
-            envoy_external_dep_path("tcmalloc_malloc_extension"),
+            "@com_github_google_tcmalloc//tcmalloc",
+            "@com_github_google_tcmalloc//tcmalloc:profile_marshaler",
+            "@com_github_google_tcmalloc//tcmalloc:malloc_extension",
         ],
         repository + "//bazel:linux_aarch64": [
-            envoy_external_dep_path("tcmalloc"),
-            envoy_external_dep_path("tcmalloc_profile_marshaler"),
-            envoy_external_dep_path("tcmalloc_malloc_extension"),
+            "@com_github_google_tcmalloc//tcmalloc",
+            "@com_github_google_tcmalloc//tcmalloc:profile_marshaler",
+            "@com_github_google_tcmalloc//tcmalloc:malloc_extension",
         ],
-        "//conditions:default": [envoy_external_dep_path("gperftools")],
+        "//conditions:default": [repository + "//bazel/foreign_cc:gperftools"],
     })
 
 # Envoy C++ library targets that need no transformations or additional dependencies before being

bazel/envoy_pch.bzl

@@ -27,8 +27,8 @@ def envoy_pch_library(
         name,
         includes,
         deps,
-        external_deps,
         visibility,
+        external_deps = [],
         testonly = False,
         repository = ""):
     native.cc_library(

bazel/envoy_test.bzl

@@ -40,7 +40,7 @@ def _envoy_cc_test_infrastructure_library(
     extra_deps = []
     pch_copts = []
     if disable_pch:
-        extra_deps = [envoy_external_dep_path("googletest")]
+        extra_deps = ["@com_google_googletest//:gtest"]
     else:
         extra_deps = envoy_pch_deps(repository, "//test:test_pch")
         pch_copts = envoy_pch_copts(repository, "//test:test_pch")
@@ -175,9 +175,10 @@ def envoy_cc_test(
         linkopts = _envoy_test_linkopts() + linkopts,
         linkstatic = envoy_linkstatic(),
         malloc = tcmalloc_external_dep(repository),
-        deps = envoy_stdlib_deps() + deps + [envoy_external_dep_path(dep) for dep in external_deps + ["googletest"]] + [
+        deps = envoy_stdlib_deps() + deps + [envoy_external_dep_path(dep) for dep in external_deps] + [
             repository + "//test:main",
             repository + "//test/test_common:test_version_linkstamp",
+            "@com_google_googletest//:gtest",
         ] + envoy_pch_deps(repository, "//test:test_pch"),
         # from https://github.com/google/googletest/blob/6e1970e2376c14bf658eb88f655a054030353f9f/googlemock/src/gmock.cc#L51
         # 2 - by default, mocks act as StrictMocks.

bazel/external/cargo/remote/BUILD.protobuf-2.24.1.bazel

@@ -33,7 +33,7 @@ licenses([
 # buildifier: disable=out-of-order-load
 # buildifier: disable=load-on-top
 load(
-    "@rules_rust//cargo:cargo_build_script.bzl",
+    "@rules_rust//cargo:defs.bzl",
     "cargo_build_script",
 )