Open jbohanon opened 1 year ago
cc @StarryVae as original implementer cc @wbpcode as commenter suggesting not gating behind API
If there is actually concern about the security, then It's ok to me to add a optional bool to disable the header adding. And before the API is added, you still could disable the adding by the runtime flag envoy.reloadable_features.http_ext_auth_failure_mode_allow_header_add
. Thanks.
sorry for late, i will fix it soon.
Title: Make
ext_authz
failure-mode-allow header configurableDescription:
ext_authz
failure-mode-allow header leaks implementation to potentially untrusted upstreams. It is perhaps unadvisable to use ext_authz with untrusted upstreams, and failure-mode-allow can be disabled.The addition of the
x-envoy-auth-failure-mode-allowed
leaks auth implementation and/or security details to potentially untrusted upstreams.The feature was added in https://github.com/envoyproxy/envoy/pull/26326. A decision was made to not make this permanently configurable here. No method of removing this header is provided without adding a sanitizing filter after all extauth filters.
Reproduction: Run envoy with an ext_authz pointing to a non-existent endpoint and hit an echo server to see the headers received by the upstream when a failure occurs in authz.
Script must be run on Linux and requires node installed on $PATH. Change the envoy download path and/or use docker if desired. Any echo upstream can be used; a node server was provided for completeness.
run-script.sh
```bash #!/bin/bash # Add envoy config yaml cat > ./envoy.yaml <From the output of this script we can see the header is received by the upstream
x-envoy-auth-failure-mode-allowed: true
[optional Relevant Links:]
Implementing PR: https://github.com/envoyproxy/envoy/pull/26326 Comment where decision was made to not make this permanently configurable: https://github.com/envoyproxy/envoy/pull/26326#issuecomment-1492817386