Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy tap filter threat model clarifications #12920

Closed
lhluo opened this issue Sep 1, 2020 · 9 comments
Closed

Envoy tap filter threat model clarifications #12920

lhluo opened this issue Sep 1, 2020 · 9 comments
Labels
area/tap stale stalebot believes this issue/PR has not been touched recently

Comments

@lhluo
Copy link
Contributor

lhluo commented Sep 1, 2020

Hi Envoy team, we're working on a custom filter extension that models after the Tap filter. In Envoy's threat model page, I see that envoy.filters.http.tap should "only be used when both the downstream and upstream are trusted". One of our top requirements is system security with untrusted downstreams. I dug into the tap filter implementation but couldn't identify any obvious attack vectors (admittedly C++ security is not my area of expertise).

I've posted to slack but this might be a better place to pose the question. Wondering if anyone with more familiarity can comment on the security implications of the tap filter? What are the risks of using a tap filter with an untrusted downstream?
@mattklein123
Copy link
Member

It's only noted that because it hasn't been hardened. There may be buffering issues that need to be looked at, etc.

@lhluo
Copy link
Contributor Author

lhluo commented Sep 1, 2020
edited
Loading

@mattklein123 thanks for the answer. Could you clarify on what hardened means? How can we help harden this filter against untrusted downstreams?

@mattklein123
Copy link
Member

Could you clarify on what hardened means? How can we help harden this filter against untrusted downstreams?

Run it in production, audit it for security/unlimited buffering/etc. issues.

@lhluo
Copy link
Contributor Author

lhluo commented Sep 1, 2020

I'm assuming other "hardened" filters have undergone the above auditing?
Is there a standard process we use to audit envoy filters? Or case-by-case basis?

@mattklein123
Copy link
Member

I wish I had a an official checklist for you but I don't. cc @htuch as such a checklist would be pretty nice from an extension maturity level tracking perspective.

@htuch
Copy link
Member

htuch commented Sep 2, 2020

I've opened #12962 to track this, with some suggestions to start things of.

@stale
Copy link

stale bot commented Oct 4, 2020

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label Oct 4, 2020
@mattklein123 mattklein123 removed the stale stalebot believes this issue/PR has not been touched recently label Dec 9, 2020
@github-actions
Copy link

github-actions bot commented Jan 8, 2021

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label Jan 8, 2021
@github-actions
Copy link

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tap stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattklein123 @lhluo @htuch