api: Add disableMergeSlash and escapedSlashesAction to ClientTrafficP…

…olicy (#2384)
envoyproxy · Jan 6, 2024 · 9eb3555 · 9eb3555
1 parent 3812cb5
commit 9eb3555
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 0 deletions.
diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -74,6 +74,10 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	TLS *TLSSettings `json:"tls,omitempty"`
+	// Path enables managing how the incoming path set by clients can be normalized.
+	//
+	// +optional
+	Path *PathSettings `json:"path,omitempty"`
 }
 
 // HTTP3Settings provides HTTP/3 configuration on the listener.

diff --git a/api/v1alpha1/pathsettings_types.go b/api/v1alpha1/pathsettings_types.go
@@ -0,0 +1,54 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+// PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c
+// sequences in the URI path.
+// +kubebuilder:validation:Enum=KeepUnchanged;RejectRequest;UnescapeAndForward;UnescapeAndRedirect
+type PathEscapedSlashAction string
+
+const (
+	// KeepUnchangedAction keeps escaped slashes as they arrive without changes
+	KeepUnchangedAction PathEscapedSlashAction = "KeepUnchanged"
+	// RejectRequestAction rejects client requests containing escaped slashes
+	// with a 400 status. gRPC requests will be rejected with the INTERNAL (13)
+	// error code.
+	// The "httpN.downstream_rq_failed_path_normalization" counter is incremented
+	// for each rejected request.
+	RejectRequestAction PathEscapedSlashAction = "RejectRequest"
+	// UnescapeAndRedirect unescapes %2F and %5C sequences and redirects to the new path
+	// if these sequences were present.
+	//
+	// Redirect occurs after path normalization and merge slashes transformations if
+	// they were configured. gRPC requests will be rejected with the INTERNAL (13)
+	// error code.
+	// This option minimizes possibility of path confusion exploits by forcing request
+	// with unescaped slashes to traverse all parties: downstream client, intermediate
+	// proxies, Envoy and upstream server.
+	// The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented
+	// for each redirected request.
+	UnescapeAndRedirect PathEscapedSlashAction = "UnescapeAndRedirect"
+	// UnescapeAndForward unescapes %2F and %5C sequences and forwards the request.
+	// Note: this option should not be enabled if intermediaries perform path based access
+	// control as it may lead to path confusion vulnerabilities.
+	UnescapeAndForward PathEscapedSlashAction = "UnescapeAndForward"
+)
+
+// PathSettings provides settings that managing how the incoming path set by clients is handled.
+type PathSettings struct {
+	// EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
+	// should be handled.
+	// The default is UnescapeAndRedirect.
+	//
+	// +optional
+	EscapedSlashesAction *PathEscapedSlashAction `json:"escapedSlashesAction,omitempty"`
+	// DisableMergeSlashes allows disabling the default configuration of merging adjacent
+	// slashes in the path.
+	// Note that slash merging is not part of the HTTP spec and is provided for convenience.
+	//
+	// +optional
+	DisableMergeSlashes *bool `json:"disableMergeSlashes,omitempty"`
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -53,6 +53,27 @@ spec:
               http3:
                 description: HTTP3 provides HTTP/3 configuration on the listener.
                 type: object
+              path:
+                description: Path enables managing how the incoming path set by clients
+                  can be normalized.
+                properties:
+                  disableMergeSlashes:
+                    description: DisableMergeSlashes allows disabling the default
+                      configuration of merging adjacent slashes in the path. Note
+                      that slash merging is not part of the HTTP spec and is provided
+                      for convenience.
+                    type: boolean
+                  escapedSlashesAction:
+                    description: EscapedSlashesAction determines how %2f, %2F, %5c,
+                      or %5C sequences in the path URI should be handled. The default
+                      is UnescapeAndRedirect.
+                    enum:
+                    - KeepUnchanged
+                    - RejectRequest
+                    - UnescapeAndForward
+                    - UnescapeAndRedirect
+                    type: string
+                type: object
               suppressEnvoyHeaders:
                 description: SuppressEnvoyHeaders configures the Envoy Router filter
                   to suppress the "x-envoy-' headers from both requests and responses.

diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -220,6 +220,7 @@ _Appears in:_
 | `enableProxyProtocol` _boolean_ | EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. |
 | `http3` _[HTTP3Settings](#http3settings)_ | HTTP3 provides HTTP/3 configuration on the listener. |
 | `tls` _[TLSSettings](#tlssettings)_ | TLS settings configure TLS termination settings with the downstream client. |
+| `path` _[PathSettings](#pathsettings)_ | Path enables managing how the incoming path set by clients can be normalized. |
 
 
 
@@ -1285,6 +1286,32 @@ _Appears in:_
 | `resources` _object (keys:string, values:string)_ | Resources is a set of labels that describe the source of a log entry, including envoy node info. It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). |
 
 
+#### PathEscapedSlashAction
+
+_Underlying type:_ `string`
+
+PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c sequences in the URI path.
+
+_Appears in:_
+- [PathSettings](#pathsettings)
+
+
+
+#### PathSettings
+
+
+
+PathSettings provides settings that managing how the incoming path set by clients is handled.
+
+_Appears in:_
+- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
+
+| Field | Description |
+| --- | --- |
+| `escapedSlashesAction` _[PathEscapedSlashAction](#pathescapedslashaction)_ | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI should be handled. The default is UnescapeAndRedirect. |
+| `disableMergeSlashes` _boolean_ | DisableMergeSlashes allows disabling the default configuration of merging adjacent slashes in the path. Note that slash merging is not part of the HTTP spec and is provided for convenience. |
+
+
 #### ProviderType
 
 _Underlying type:_ `string`