Backport of [NET-1151 NET-11228] security: Add request normalization …

…and header match options to prevent L7 intentions bypass into release/1.20.x (#21839) backport of commit 9e7757d Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
hashicorp · Oct 16, 2024 · 424f5a8 · 424f5a8
1 parent 2300ed5
commit 424f5a8
Show file tree

Hide file tree

Showing 96 changed files with 5,859 additions and 2,634 deletions.
diff --git a/.changelog/21816.txt b/.changelog/21816.txt
@@ -0,0 +1,9 @@
+```release-note:security
+mesh: Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
+```
+```release-note:security
+mesh: Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
+```
+```release-note:breaking-change
+mesh: Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
+```
diff --git a/agent/structs/config_entry_intentions.go b/agent/structs/config_entry_intentions.go
@@ -426,13 +426,15 @@ func (p *IntentionHTTPPermission) Clone() *IntentionHTTPPermission {
 }
 
 type IntentionHTTPHeaderPermission struct {
-	Name    string
-	Present bool   `json:",omitempty"`
-	Exact   string `json:",omitempty"`
-	Prefix  string `json:",omitempty"`
-	Suffix  string `json:",omitempty"`
-	Regex   string `json:",omitempty"`
-	Invert  bool   `json:",omitempty"`
+	Name       string
+	Present    bool   `json:",omitempty"`
+	Exact      string `json:",omitempty"`
+	Prefix     string `json:",omitempty"`
+	Suffix     string `json:",omitempty"`
+	Contains   string `json:",omitempty"`
+	Regex      string `json:",omitempty"`
+	Invert     bool   `json:",omitempty"`
+	IgnoreCase bool   `json:",omitempty" alias:"ignore_case"`
 }
 
 func cloneStringStringMap(m map[string]string) map[string]string {
@@ -880,8 +882,14 @@ func (e *ServiceIntentionsConfigEntry) validate(legacyWrite bool) error {
 				if hdr.Suffix != "" {
 					hdrParts++
 				}
+				if hdr.Contains != "" {
+					hdrParts++
+				}
 				if hdrParts != 1 {
-					return fmt.Errorf(errorPrefix+".Header[%d] should only contain one of Present, Exact, Prefix, Suffix, or Regex", i, j, k)
+					return fmt.Errorf(errorPrefix+".Header[%d] should only contain one of Present, Exact, Prefix, Suffix, Contains, or Regex", i, j, k)
+				}
+				if hdr.IgnoreCase && (hdr.Present || hdr.Regex != "") {
+					return fmt.Errorf(errorPrefix+".Header[%d] should set one of Exact, Prefix, Suffix, or Contains when using IgnoreCase", i, j, k)
 				}
 				permParts++
 			}