envoyproxy
diff --git a/‎api/v1alpha1/envoygateway_types.go‎
Lines changed: 3 additions & 0 deletions b/‎api/v1alpha1/envoygateway_types.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/v1alpha1/envoyproxy_types.go‎
Lines changed: 15 additions & 9 deletions b/‎api/v1alpha1/envoyproxy_types.go‎
Lines changed: 15 additions & 9 deletions
diff --git a/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 1 addition & 0 deletions b/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 1 addition & 0 deletions b/‎charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎internal/gatewayapi/envoyextensionpolicy.go‎
Lines changed: 5 additions & 0 deletions b/‎internal/gatewayapi/envoyextensionpolicy.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎internal/gatewayapi/luavalidator/lua_validator.go‎
Lines changed: 61 additions & 10 deletions b/‎internal/gatewayapi/luavalidator/lua_validator.go‎
Lines changed: 61 additions & 10 deletions
@@ -265,6 +265,9 @@ type ExtensionAPISettings struct {
 	// EnableBackend enables Envoy Gateway to
 	// reconcile and implement the Backend resources.
 	EnableBackend bool `json:"enableBackend"`
+	// DisableLua determines if Lua EnvoyExtensionPolicies should be disabled.
+	// If set to true, the Lua EnvoyExtensionPolicy feature will be disabled.
+	DisableLua bool `json:"disableLua"`
 }
 
 // EnvoyGatewayProvider defines the desired configuration of a provider.
 
@@ -182,23 +182,29 @@ type EnvoyProxySpec struct {
 	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=Strict;Disabled
+// +kubebuilder:validation:Enum=Strict;InsecureSyntax;Disabled
 type LuaValidation string
 
 const (
 	// LuaValidationStrict is the default level and checks for issues during script execution.
-	// Recommended if your scripts only use the standard Envoy Lua stream handle API.
+	// Recommended if your scripts only use the standard Envoy Lua stream handle API and no external libraries.
 	// For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
+	// INFO: This validation mode executes Lua scripts from EnvoyExtensionPolicy (EEP) resources in the gateway controller.
+	// Since the Gateway controller watches EEPs across all namespaces (or namespaces matching the configured selector),
+	// unprivileged users can create EEPs in their namespaces and cause arbitrary Lua code to execute in the Gateway controller process.
+	// Security measures are in place to prevent unsafe Lua code from accessing critical system resources on the controller
+	// and fail validation, preventing the unsafe code from flowing to the data plane proxy.
 	LuaValidationStrict LuaValidation = "Strict"
 
-	// LuaValidationSyntax checks for syntax errors in the Lua script.
-	// Note that this is not a full runtime validation and does not check for issues during script execution.
-	// This is recommended if your scripts use external libraries that are not supported by Lua runtime validation.
-	LuaValidationSyntax LuaValidation = "Syntax"
+	// LuaValidationInsecureSyntax checks for Lua syntax errors only.
+	// Useful if your scripts use external libraries other than the standard Envoy Lua stream handle API.
+	// WARNING: This mode does NOT offer any runtime validations, so no security measures are applied to validate Lua code safety.
+	// Not recommended unless you completely trust all EnvoyExtensionPolicy resources.
+	LuaValidationInsecureSyntax LuaValidation = "InsecureSyntax"
 
-	// LuaValidationDisabled disables all validations of Lua scripts.
-	// Scripts will be accepted and executed without any validation checks.
-	// This is not recommended unless both runtime and syntax validations are failing unexpectedly.
+	// LuaValidationDisabled disables all Lua script validations.
+	// WARNING: This mode does NOT offer any runtime or syntax validations, so no security measures are applied to validate Lua code safety.
+	// Not recommended unless you completely trust all EnvoyExtensionPolicy resources.
 	LuaValidationDisabled LuaValidation = "Disabled"
 )
 
 
@@ -471,6 +471,7 @@ spec:
                   Default: Strict
                 enum:
                 - Strict
+                - InsecureSyntax
                 - Disabled
                 type: string
               mergeGateways:
 
@@ -470,6 +470,7 @@ spec:
                   Default: Strict
                 enum:
                 - Strict
+                - InsecureSyntax
                 - Disabled
                 type: string
               mergeGateways:
 
@@ -668,6 +668,11 @@ func (t *Translator) buildLuas(
 		return nil, nil
 	}
 
+	// If Lua EnvoyExtensionPolicies are disabled, skip building Lua filters.
+	if len(policy.Spec.Lua) > 0 && t.LuaEnvoyExtensionPolicyDisabled {
+		return nil, fmt.Errorf("Skipping Lua EnvoyExtensionPolicy as feature is disabled in the Gateway")
+	}
+
 	luaIRList := make([]ir.Lua, 0, len(policy.Spec.Lua))
 
 	for idx, ep := range policy.Spec.Lua {
 
@@ -6,9 +6,11 @@
 package luavalidator
 
 import (
+	"context"
 	_ "embed"
 	"fmt"
 	"strings"
+	"time"
 
 	lua "github.com/yuin/gopher-lua"
 
@@ -18,6 +20,7 @@ import (
 const (
 	envoyOnRequestFunctionName  = "envoy_on_request"
 	envoyOnResponseFunctionName = "envoy_on_response"
+	luaExecutionTimeout         = 5 * time.Second
 )
 
 // mockData contains mocks of Envoy supported APIs for Lua filters.
@@ -26,6 +29,14 @@ const (
 //go:embed mocks.lua
 var mockData string
 
+// securityData contains Lua security wrappers that restrict access to sensitive filesystem paths and
+// critical environment variables during Lua code validation in the gateway controller.
+//
+// TODO: Create a configurable set of filesystem paths and environment variables to check for in the proxy apart from default configured here.
+//
+//go:embed security.lua
+var securityData string
+
 // LuaValidator validates user provided Lua for compatibility with Envoy supported Lua HTTP filter
 // Validation strictness is controlled by the validation field
 type LuaValidator struct {
@@ -47,12 +58,12 @@ func (l *LuaValidator) Validate() error {
 		return fmt.Errorf("expected one of %s() or %s() to be defined", envoyOnRequestFunctionName, envoyOnResponseFunctionName)
 	}
 	if strings.Contains(l.code, envoyOnRequestFunctionName) {
-		if err := l.validate(mockData + "\n" + l.code + "\n" + envoyOnRequestFunctionName + "(StreamHandle)"); err != nil {
+		if err := l.validate(l.code + "\n" + envoyOnRequestFunctionName + "(StreamHandle)"); err != nil {
 			return fmt.Errorf("failed to validate with %s: %w", envoyOnRequestFunctionName, err)
 		}
 	}
 	if strings.Contains(l.code, envoyOnResponseFunctionName) {
-		if err := l.validate(mockData + "\n" + l.code + "\n" + envoyOnResponseFunctionName + "(StreamHandle)"); err != nil {
+		if err := l.validate(l.code + "\n" + envoyOnResponseFunctionName + "(StreamHandle)"); err != nil {
 			return fmt.Errorf("failed to validate with %s: %w", envoyOnResponseFunctionName, err)
 		}
 	}
@@ -62,7 +73,7 @@ func (l *LuaValidator) Validate() error {
 // validate runs the validation on given code
 func (l *LuaValidator) validate(code string) error {
 	switch l.getLuaValidation() {
-	case egv1a1.LuaValidationSyntax:
+	case egv1a1.LuaValidationInsecureSyntax:
 		return l.loadLua(code)
 	case egv1a1.LuaValidationDisabled:
 		return nil
@@ -79,22 +90,61 @@ func (l *LuaValidator) getLuaValidation() egv1a1.LuaValidation {
 	return egv1a1.LuaValidationStrict
 }
 
-// newLuaState creates a new Lua state with global settings applied
-func (l *LuaValidator) newLuaState() *lua.LState {
-	L := lua.NewState()
+// newLuaState creates a new Lua state with global settings and resource limits applied
+// Returns the Lua state and a cancel function that must be called when done
+func (l *LuaValidator) newLuaState() (*lua.LState, context.CancelFunc) {
+	// Configure Lua VM with resource limits to prevent DoS
+	L := lua.NewState(lua.Options{
+		CallStackSize:       256,   // Default call stack depth
+		RegistrySize:        5120,  // Default registry size (256 * 20)
+		RegistryMaxSize:     5120,  // Disable registry growth for security
+		RegistryGrowStep:    32,    // Default registry growth step (not used since max = initial)
+		SkipOpenLibs:        false, // We need standard libraries (filtered by security.lua)
+		IncludeGoStackTrace: false, // Don't leak Go stack traces to user errors
+	})
+
+	// Create context with timeout to prevent infinite loops or long-running code
+	ctx, cancel := context.WithTimeout(context.Background(), luaExecutionTimeout)
+	L.SetContext(ctx)
+
 	// Suppress all print statements
 	L.SetGlobal("print", L.NewFunction(func(L *lua.LState) int {
 		return 0
 	}))
-	return L
+	return L, cancel
 }
 
 // runLua interprets and runs the provided Lua code in runtime using gopher-lua
 // Refer: https://github.com/yuin/gopher-lua?tab=readme-ov-file#differences-between-lua-and-gopherlua
 func (l *LuaValidator) runLua(code string) error {
-	L := l.newLuaState()
+	L, cancel := l.newLuaState()
+	defer cancel()
 	defer L.Close()
-	if err := L.DoString(code); err != nil {
+
+	// Execute mocks first (trusted code, needs setmetatable, defines StreamHandle, etc.)
+	_ = L.DoString(mockData)
+	// Execute Lua security wrappers (trusted code) to protect the gateway controller
+	// See security advisory: https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
+	_ = L.DoString(securityData)
+
+	// Execute user-provided code with panic recovery to prevent controller crashes
+	// Although gopher-lua returns errors if it internally panics,
+	// this is a defensive measure to prevent the controller from crashing.
+	var err error
+	func() {
+		defer func() {
+			if r := recover(); r != nil {
+				err = fmt.Errorf("lua execution panic: %v", r)
+			}
+		}()
+		err = L.DoString(code)
+	}()
+
+	if err != nil {
+		// Check if timeout occurred
+		if L.Context().Err() == context.DeadlineExceeded {
+			return fmt.Errorf("lua execution timeout: code took longer than %v", luaExecutionTimeout)
+		}
 		return err
 	}
 	return nil
@@ -103,7 +153,8 @@ func (l *LuaValidator) runLua(code string) error {
 // loadLua loads the Lua code into the Lua state, does not run it
 // This is used to check for syntax errors in the Lua code
 func (l *LuaValidator) loadLua(code string) error {
-	L := l.newLuaState()
+	L, cancel := l.newLuaState()
+	defer cancel()
 	defer L.Close()
 	if _, err := L.LoadString(code); err != nil {
 		return err
Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,9 @@ type ExtensionAPISettings struct {`
`265`	`265`	`// EnableBackend enables Envoy Gateway to`
`266`	`266`	`// reconcile and implement the Backend resources.`
`267`	`267`	EnableBackend bool `json:"enableBackend"`
	`268`	`+ // DisableLua determines if Lua EnvoyExtensionPolicies should be disabled.`
	`269`	`+ // If set to true, the Lua EnvoyExtensionPolicy feature will be disabled.`
	`270`	+ DisableLua bool `json:"disableLua"`
`268`	`271`	`}`
`269`	`272`
`270`	`273`	`// EnvoyGatewayProvider defines the desired configuration of a provider.`