Signed-off-by: Lizan Zhou <[email protected]>

Description:

Change (non-existent) https://github.com/eile/tclap/ to https://github.com/mirror/tclap/. I didn't validate the new mirror in any way, but the downloded release file sha256sum stays the same. In the future the releases should probably be downloaded from the real upstream. However the release 1.2.1 tarball from https://sourceforge.net/projects/tclap/files/ did not have the same sha256sum as the release file which Envoy uses.

Risk Level: Medium
Testing: N/A
Docs Changes: N/A
Release Notes:
Fixes envoyproxy#9071 

Signed-off-by: Ismo Puustinen <[email protected]>
Signed-off-by: Lizan Zhou <[email protected]>

Signed-off-by: Lizan Zhou <[email protected]>

Signed-off-by: Yan Avlasov <[email protected]>

Fixes oss-fuzz issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18431.

Risk level: Low (no functional change).
Testing: Additional unit and integration tests added that cover the
  :method header overflow case and adjacent behaviors. Corpus entry
  added.

Signed-off-by: Harvey Tuch <[email protected]>

This can happen during certain early reply cases in the HCM
when an encoder filter tries to lookup the cached route/cluster.

Signed-off-by: Matt Klein <[email protected]>

Signed-off-by: Alyssa Wilk <[email protected]>

Signed-off-by: Yan Avlasov <[email protected]>

Signed-off-by: Yan Avlasov <[email protected]>

Signed-off-by: Matt Klein <[email protected]>

Signed-off-by: Piotr Sikora <[email protected]>

…nvoyproxy#10017)

Signed-off-by: Yangmin Zhu <[email protected]>

…rbac (envoyproxy#10010) (envoyproxy#10038)

Description: Add a new PathMatcher that strips the query and/or fragment string from the ":path" header before matching, use it in route, JWT and RBAC.
Risk Level: Low
Testing: Added unit tests and integration tests
Docs Changes: Updated types.rst for PathMatcher
Release Notes: Updated version_history.rst for RBAC API change

Signed-off-by: Yangmin Zhu <[email protected]>

…xy#10201)

Signed-off-by: Lizan Zhou <[email protected]>

…proxy#10218)

Signed-off-by: Lizan Zhou <[email protected]>

Previously, the update callback was called only when the secret
was received for the first time or when its value changed.

This meant that if the same secret (e.g. trusted CA) was used in
multiple resources, then resources using it but configured after
the secret was already received, remained unconfigured until the
secret's value changed.

The missing callback should have resulted in transport factories
stuck in the "not ready" state, however, because of an incorrect
code, the available secret was processed like inlined validation
context, and only rules from the "secret" part of the validation
context were applied, leading to a complete bypass of rules from
the "default" part.

Signed-off-by: Piotr Sikora <[email protected]>
Co-authored-by: Oliver Liu <[email protected]>

Given that we allow creating zero byte fragments, it'd be good to proactively drain them. For example if someone is doing timing instrumentation and wants to know when Network::Connection data is written to the kernel, it could be useful to have a zero byte sentinel.

Risk Level: Low (I don't think anyone is adding zero byte fragments yet)
Testing: new unit test
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: Alyssa Wilk <[email protected]>
Signed-off-by: Jianfei Hu <[email protected]>
Co-authored-by: Lizan Zhou <[email protected]>

Signed-off-by: Alyssa Wilk <[email protected]>
Signed-off-by: Jianfei Hu <[email protected]>
Co-authored-by: Lizan Zhou <[email protected]>

Previously, TLS inspector didn't support TLSv1.3 and clients configured
to use only TLSv1.3 were not recognized as TLS clients.

Because TLS extensions (SNI, ALPN) were not inspected, those connections
might have been matched to a wrong filter chain, possibly bypassing some
security restrictions in the process.

Fixes istio/istio#18695.

Signed-off-by: Piotr Sikora <[email protected]>

This is similar to the http2 frame protection, but rather than try to
guard
[header block || last body bytes || last chunk in chunk encoding ||
trailer block]
depending on end stream, which just gets messy, I opted to just add an
empty reference counted fragment after the body was serialized, which
appears to work just as well with a small theoretical overhead.  If
folks think the complexity is warranted I can of course do that instead.

Risk Level: Medium
Testing: new unit tests, integration test
Docs Changes: stats documented
Release Notes: added

Signed-off-by: Alyssa Wilk <[email protected]>
Signed-off-by: Lizan Zhou <[email protected]>
Signed-off-by: Jianfei Hu <[email protected]>

Description: Remove empty slices off the end of buffers after calls to OwnedImpl::commit. The slices reserved when OwnedImpl::reserve is called will sit unused in cases where the 0 bytes are commited, for example, when socket read returns 0 bytes EAGAIN. Trapped slices act like a memory leak until there is a successful read or the socket is closed.
Risk Level: low
Testing: unit
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: Antonio Vicente <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Yangmin Zhu <[email protected]>

… avoid fragmentation (#117) (#127)

Change OwnedImpl::move to force a copy instead of taking ownership of slices in cases where the offered slices are below kCopyThreshold

Risk Level: medium, changes to buffer behavior
Testing: Unit Tests
Docs Changes: N/A
Release Notes: N/A

Signed-off-by: Antonio Vicente <[email protected]>
Signed-off-by: Yangmin Zhu <[email protected]>

Signed-off-by: Lizan Zhou <[email protected]>

Cherry-picks:
3804528 and removed Windows from CI.
dc197e5
5306563
bc2d1d3
660891e
a85f8ec

Risk Level: Low
Testing: CI
Docs Changes:
Release Notes:
Part of envoyproxy#10741 

Signed-off-by: Lizan Zhou <[email protected]>
Co-authored-by: Matt Klein <[email protected]>
Co-authored-by: Sunjay Bhatia <[email protected]>

Signed-off-by: Lizan Zhou <[email protected]>
Signed-off-by: Piotr Sikora <[email protected]>

…#11461)

Enables users of tagged releases to stay on the latest release of a
major/minor combination

Resolves envoyproxy#11091

Signed-off-by: Sunjay Bhatia <[email protected]>
Signed-off-by: Piotr Sikora <[email protected]>

…) (envoyproxy#11464)

Signed-off-by: Yan Avlasov <[email protected]>
Signed-off-by: Piotr Sikora <[email protected]>

See release notes at
https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0.

This addresses
GHSA-q5wr-xfw9-q7xr.

Set nghttp2 internal flood mitigation threshold back to 10K to avoid any
changes in Envoy's codec behavior.

Signed-off-by: Harvey Tuch <[email protected]>
Signed-off-by: Yan Avlasov <[email protected]>
Signed-off-by: Piotr Sikora <[email protected]>

Signed-off-by: Piotr Sikora <[email protected]>

This patch separates the Resource class from the resource manager implementation and allows for resource limit tracking in other parts of the code base.

Signed-off-by: Tony Allen <[email protected]>
Signed-off-by: Lizan Zhou <[email protected]>

Add support for per-listener limits on accepted connections.

Signed-off-by: Tony Allen <[email protected]>
Signed-off-by: Lizan Zhou <[email protected]>

This patch adds support for global accepted connection limits. May be configured simultaneously with per-listener connection limits and enforced separately. If the global limit is unconfigured, Envoy will emit a warning during start-up.

Global downstream connection count tracking (across all listeners and threads) is performed by the network listener implementation upon acceptance of a socket. The mapping of active socket objects to the actual accepted downstream sockets is assumed to remain bijective. Given that characteristic, the connection counts are tied to the lifetime of the objects.

Signed-off-by: Tony Allen <[email protected]>
Signed-off-by: Dmitri Dolguikh <[email protected]>

…eject partial headers that exceed configured limits (#145)

Improve the robustness of HTTP1 request and response header size checks by including the request URL in the request header size, and add missing header size check when parsing header field names. The missing header field name size check can result in excessive buffering up to a hard-coded 32MB limit until timeout. The missing request URL size check can result in Envoy attempting to route match and proxy HTTP/1.1 requests with URLs up to a hard-coded 32MB limit, which could result in excess memory usage or performance problems in regex route matches.

Signed-off-by: Antonio Vicente <[email protected]>
Signed-off-by: John Plevyak <[email protected]>

…ation due to tracking of H2 data and control frames in the output buffer (#144)

Add a drain hook to Buffer::OwnedImpl for use by H2 codec to track when data and control frames are sent on the wire. Tracking frames this way avoids high-memory usage due to output buffer fragmentation.

Signed-off-by: Antonio Vicente <[email protected]>
Signed-off-by: John Plevyak <[email protected]>

This commit adds a new stream flush timeout to guard against a
remote server that does not open window once an entire stream has
been buffered for flushing. Additional stats have also been added
to better understand the codecs view of active streams as well as
amount of data buffered.

Signed-off-by: Matt Klein <[email protected]>
Signed-off-by: Dmitri Dolguikh <[email protected]>

This patch separates the Resource class from the resource manager implementation and allows for resource limit tracking in other parts of the code base.

Signed-off-by: Tony Allen <[email protected]>
Signed-off-by: Lizan Zhou <[email protected]>

Co-authored-by: Lizan Zhou <[email protected]>

Signed-off-by: John Plevyak <[email protected]>

Signed-off-by: Matt Klein <[email protected]>
Signed-off-by: Piotr Sikora <[email protected]>

Merge v1.12

…backport-1.4

Signed-off-by: John Plevyak <[email protected]>

Backport 1.4