From 94abd78af5c42caf41c63794389a881ac9a0fae7 Mon Sep 17 00:00:00 2001
From: Zach <zasweq@google.com>
Date: Tue, 13 Oct 2020 15:18:07 +0000
Subject: [PATCH 1/2] Added validation for secrets

Signed-off-by: Zach <zasweq@google.com>
---
 api/envoy/extensions/transport_sockets/tls/v3/secret.proto | 6 +++++-
 .../extensions/transport_sockets/tls/v4alpha/secret.proto  | 3 ++-
 .../envoy/extensions/transport_sockets/tls/v3/secret.proto | 6 +++++-
 .../extensions/transport_sockets/tls/v4alpha/secret.proto  | 3 ++-
 .../clusterfuzz-testcase-filter_fuzz_test-5681522444861440 | 7 +++++++
 .../http/common/fuzz/filter_corpus/oauth_crash-test        | 0
 6 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-filter_fuzz_test-5681522444861440
 create mode 100644 test/extensions/filters/http/common/fuzz/filter_corpus/oauth_crash-test

diff --git a/api/envoy/extensions/transport_sockets/tls/v3/secret.proto b/api/envoy/extensions/transport_sockets/tls/v3/secret.proto
index 80c68a56f5ce..f25370c3c9f6 100644
--- a/api/envoy/extensions/transport_sockets/tls/v3/secret.proto
+++ b/api/envoy/extensions/transport_sockets/tls/v3/secret.proto
@@ -12,6 +12,7 @@ import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "SecretProto";
@@ -33,7 +34,10 @@ message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   // When both name and config are specified, then secret can be fetched and/or reloaded via
   // SDS. When only name is specified, then secret will be loaded from static resources.
-  string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
+  string name = 1 [
+    (validate.rules).string = {min_len: 1},
+    (udpa.annotations.field_migrate).oneof_promotion = "name_specifier"
+  ];
 
   // Resource locator for SDS. This is mutually exclusive to *name*.
   // [#not-implemented-hide:]
diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto
index 11306f21415a..9848eaadef0b 100644
--- a/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto
+++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto
@@ -11,6 +11,7 @@ import "udpa/core/v1/resource_locator.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha";
 option java_outer_classname = "SecretProto";
@@ -35,7 +36,7 @@ message SdsSecretConfig {
     // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
     // When both name and config are specified, then secret can be fetched and/or reloaded via
     // SDS. When only name is specified, then secret will be loaded from static resources.
-    string name = 1;
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Resource locator for SDS. This is mutually exclusive to *name*.
     // [#not-implemented-hide:]
diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/secret.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/secret.proto
index 80c68a56f5ce..f25370c3c9f6 100644
--- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/secret.proto
+++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/secret.proto
@@ -12,6 +12,7 @@ import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "SecretProto";
@@ -33,7 +34,10 @@ message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   // When both name and config are specified, then secret can be fetched and/or reloaded via
   // SDS. When only name is specified, then secret will be loaded from static resources.
-  string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];
+  string name = 1 [
+    (validate.rules).string = {min_len: 1},
+    (udpa.annotations.field_migrate).oneof_promotion = "name_specifier"
+  ];
 
   // Resource locator for SDS. This is mutually exclusive to *name*.
   // [#not-implemented-hide:]
diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto
index 11306f21415a..9848eaadef0b 100644
--- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto
+++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto
@@ -11,6 +11,7 @@ import "udpa/core/v1/resource_locator.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha";
 option java_outer_classname = "SecretProto";
@@ -35,7 +36,7 @@ message SdsSecretConfig {
     // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
     // When both name and config are specified, then secret can be fetched and/or reloaded via
     // SDS. When only name is specified, then secret will be loaded from static resources.
-    string name = 1;
+    string name = 1 [(validate.rules).string = {min_len: 1}];
 
     // Resource locator for SDS. This is mutually exclusive to *name*.
     // [#not-implemented-hide:]
diff --git a/test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-filter_fuzz_test-5681522444861440 b/test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-filter_fuzz_test-5681522444861440
new file mode 100644
index 000000000000..60ffb84c5ac3
--- /dev/null
+++ b/test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-testcase-filter_fuzz_test-5681522444861440
@@ -0,0 +1,7 @@
+config {
+  name: "envoy.filters.http.oauth"
+  typed_config {
+    type_url: "type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2"
+    value: "\n\306\t\022\006\022\001(\032\001r\032<\n\035envoy.filters.\360\222\213\217Qgrpc_stats\022\r\022\013\022\002\010\006\"\005\010\200\200\200\001\032\014\022\n\n\001t\"\005\010\200\200\200\001\"\006\022\001(\032\001r*\005\n\003:\001=2\351\010\n\346\010*\343\010\n\010\n\006\010\200\200\200\200\004\022\326\010^^^^^j!^^.*..............................................*............................config {\n  name: \"envoy.filters.http.jwt_authn\"\n  typed....._config {\n    type_url: \"type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAu........[thentication\"\n    value: \"\\n=\\n\\022not_health_check_f\\022\\\'\\032\\010\\n\\006\\n\\004\\177\\177\\177\\177B\\033envoyype/matcher/v3/number.\\n1\\n\\0A_]^06\\000\\000\\000\\000\\000\\002\\022\\\'\\032\\010\\n\\006\\n\\004\\177\\177\\177\\177B\\033envoyype/matche!^^.*..............................................*............................config {\n  name: \"envoy.filters.http.jwt_authn\"\n  typed....._config {\n    type_url: \"type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAu........[thentication\"\n    value: \"\\n=\\n\\022not_health_check_f\\022\\\'\\032\\010\\n\\006\\n\\004\\177\\177\\177\\177B\\033envoyype/matcher/v3/number.\\n1\\n\\0A_]^06\\000\\000\\000\\000\\000\\002\\022\\\'\\032\\010\\n\\006\\n\\004\\177\\177\\177\\177B\\033envoyype/matcher/v3/number.\\n+\\n\\000\\022\\\'\\032\\010\\n\\006\\n\\004\\177\\177\\177\\177B\\r/v3/number.\\n+\\n\\000\\022\\\'\\032\\010\\n\\006\\n\\004\\177\\177\\177\\177B\\033envoyype/matcher/v3/number.\"\n  }\n}\nB\003\n\001A"
+  }
+}
diff --git a/test/extensions/filters/http/common/fuzz/filter_corpus/oauth_crash-test b/test/extensions/filters/http/common/fuzz/filter_corpus/oauth_crash-test
new file mode 100644
index 000000000000..e69de29bb2d1

From 167dc01e8d1c35b852c2218e6eaf4ec5a749f84b Mon Sep 17 00:00:00 2001
From: Zach <zasweq@google.com>
Date: Tue, 13 Oct 2020 15:20:59 +0000
Subject: [PATCH 2/2] Deleted a corpus entry

Signed-off-by: Zach <zasweq@google.com>
---
 .../filters/http/common/fuzz/filter_corpus/oauth_crash-test       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 test/extensions/filters/http/common/fuzz/filter_corpus/oauth_crash-test

diff --git a/test/extensions/filters/http/common/fuzz/filter_corpus/oauth_crash-test b/test/extensions/filters/http/common/fuzz/filter_corpus/oauth_crash-test
deleted file mode 100644
index e69de29bb2d1..000000000000