Escape quotes in header fields of access logs

[aklatt1194]

By default, access log fields are delimited with quotes and spaces. This is customizable for listener access logs but not for admin access logs. However, it is very difficult to parse logs with such a format in a safe way, since externally controlled header values (e.g. User-Agent) may contain unescaped quotes and spaces. For example a normal access log entry might look something like:

[2018-08-14T23:08:23.803Z] "GET /server_info HTTP/1.1" 200 - 0 92 6 - "192.88.34.220" "curl/7.38.0" "-" "localhost:10000" "-"

however, by changing my user agent, I can easily make the entry look like:

[2018-08-14T23:08:23.803Z] "GET / HTTP/1.1" 200 - 0 4521 0 - "192.88.34.220" "USER_AGENT_I_WANT_YOU_TO_SEE" "AJ" "WAS" "HERE" "-" "localhost:10000" "-"

I believe I could do the same thing (inserting seemingly new tokens) by modifying other headers as well (e.g. X-ENVOY-ORIGINAL-PATH).

At that point, it can become very difficult to safely parse certain information out of the access logs (as there is no way to determine which fields were added by malicious headers).

It seems like escaping quote characters (") in headers before sending them to the access logs would mitigate this issue.

Relevant Links:

Default access log format: https://www.envoyproxy.io/docs/envoy/v1.5.0/configuration/access_log#default-format

[mattklein123]

Somewhat related to https://github.com/envoyproxy/envoy/issues/2692. Agree we can have more escaping options here. There is also obviously the gRPC access logging service which gives you raw/structured data.