http, url: Bring back chromium_url and http_parser_parse_url (#198)

* Revert GURL as HTTP URL parser utility This reverts: 1. commit c9c4709 2. commit d828958 3. commit 2d69e30 Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
envoyproxy · Sep 29, 2020 · 3b5acb2 · 3b5acb2
1 parent 2c60632
commit 3b5acb2
Show file tree

Hide file tree

Showing 40 changed files with 1,490 additions and 401 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -35,9 +35,6 @@ build --action_env=CXX
 build --action_env=LLVM_CONFIG
 build --action_env=PATH
 
-# Skip system ICU linking.
-build --@com_googlesource_googleurl//build_config:system_icu=0
-
 # Common flags for sanitizers
 build:sanitizer --define tcmalloc=disabled
 build:sanitizer --linkopt -ldl
@@ -141,7 +138,7 @@ build:coverage --strategy=CoverageReport=sandboxed,local
 build:coverage --experimental_use_llvm_covmap
 build:coverage --collect_code_coverage
 build:coverage --test_tag_filters=-nocoverage
-build:coverage --instrumentation_filter="//source(?!/extensions/quic_listeners/quiche/platform)[/:],//include[/:]"
+build:coverage --instrumentation_filter="//source(?!/common/chromium_url|/extensions/quic_listeners/quiche/platform)[/:],//include[/:]"
 coverage:test-coverage --test_arg="-l trace"
 coverage:fuzz-coverage --config=plain-fuzzer
 coverage:fuzz-coverage --run_under=@envoy//bazel/coverage:fuzz_coverage_wrapper.sh

diff --git a/bazel/external/googleurl.patch b/bazel/external/googleurl.patch
diff --git a/bazel/external/icuuc.BUILD b/bazel/external/icuuc.BUILD
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -227,7 +227,6 @@ def envoy_dependencies(skip_targets = []):
     _repository_impl("bazel_compdb")
     _repository_impl("envoy_build_tools")
     _repository_impl("rules_cc")
-    _org_unicode_icuuc()
 
     # Unconditional, since we use this only for compiler-agnostic fuzzing utils.
     _org_llvm_releases_compiler_rt()
@@ -750,8 +749,6 @@ def _com_googlesource_quiche():
 def _com_googlesource_googleurl():
     _repository_impl(
         name = "com_googlesource_googleurl",
-        patches = ["@envoy//bazel/external:googleurl.patch"],
-        patch_args = ["-p1"],
     )
     native.bind(
         name = "googleurl",
@@ -926,12 +923,6 @@ filegroup(
         **_get_location("kafka_python_client")
     )
 
-def _org_unicode_icuuc():
-    _repository_impl(
-        name = "org_unicode_icuuc",
-        build_file = "@envoy//bazel/external:icuuc.BUILD",
-    )
-
 def _foreign_cc_dependencies():
     _repository_impl("rules_foreign_cc")
 

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -738,18 +738,6 @@ DEPENDENCY_REPOSITORIES_SPEC = dict(
         last_updated = "2020-08-26",
         use_category = ["test"],
     ),
-    org_unicode_icuuc = dict(
-        project_name = "International Components for Unicode",
-        project_desc = "International Components for Unicode",
-        project_url = "https://github.com/unicode-org/icu",
-        version = "67.1",
-        strip_prefix = "icu",
-        sha256 = "94a80cd6f251a53bd2a997f6f1b5ac6653fe791dfab66e1eb0227740fb86d5dc",
-        urls = ["https://github.com/unicode-org/icu/releases/download/release-{dash_version}/icu4c-{underscore_version}-src.tgz"],
-        use_category = ["dataplane"],
-        last_updated = "2020-04-22",
-        cpe = "cpe:2.3:a:icu-project:international_components_for_unicode:*",
-    ),
     proxy_wasm_cpp_sdk = dict(
         project_name = "WebAssembly for Proxies (C++ SDK)",
         project_desc = "WebAssembly for Proxies (C++ SDK)",

diff --git a/ci/run_clang_tidy.sh b/ci/run_clang_tidy.sh
@@ -50,13 +50,19 @@ function exclude_headersplit_testdata() {
   grep -v tools/envoy_headersplit/
 }
 
+# Do not run clang-tidy against Chromium URL import, this needs to largely
+# reflect the upstream structure.
+function exclude_chromium_url() {
+  grep -v source/common/chromium_url/
+}
+
 # Exclude files in third_party which are temporary forks from other OSS projects.
 function exclude_third_party() {
   grep -v third_party/
 }
 
 function filter_excludes() {
-  exclude_check_format_testdata | exclude_headersplit_testdata | exclude_win32_impl | exclude_macos_impl | exclude_third_party
+  exclude_check_format_testdata | exclude_headersplit_testdata | exclude_chromium_url | exclude_win32_impl | exclude_macos_impl | exclude_third_party
 }
 
 function run_clang_tidy() {

diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -54,6 +54,7 @@ Bug Fixes
 * fault: fixed an issue with `active_faults` gauge not being decremented for when abort faults were injected.
 * fault: made the HeaderNameValues::prefix() method const.
 * grpc-web: fixed an issue with failing HTTP/2 requests on some browsers. Notably, WebKit-based browsers (https://bugs.webkit.org/show_bug.cgi?id=210108), Internet Explorer 11, and Edge (pre-Chromium).
+* http: fixed CVE-2020-25018 by rolling back the ``GURL`` dependency to previous state (reverted: ``2d69e30``, ``d828958``, and ``c9c4709`` commits) due to potential of crashing when Unicode URIs are present in requests.
 * http: made the HeaderValues::prefix() method const.
 * jwt_authn: supports jwt payload without "iss" field.
 * listener: fixed crash at listener inplace update when connetion load balancer is set.

diff --git a/source/common/chromium_url/BUILD b/source/common/chromium_url/BUILD
@@ -0,0 +1,28 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_library(
+    name = "chromium_url",
+    srcs = [
+        "url_canon.cc",
+        "url_canon_internal.cc",
+        "url_canon_path.cc",
+        "url_canon_stdstring.cc",
+    ],
+    hdrs = [
+        "envoy_shim.h",
+        "url_canon.h",
+        "url_canon_internal.h",
+        "url_canon_stdstring.h",
+        "url_parse.h",
+        "url_parse_internal.h",
+    ],
+    deps = ["//source/common/common:assert_lib"],
+)
diff --git a/source/common/chromium_url/LICENSE b/source/common/chromium_url/LICENSE
@@ -0,0 +1,27 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//    * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//    * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//    * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/source/common/chromium_url/README.md b/source/common/chromium_url/README.md
@@ -0,0 +1,16 @@
+This is a manually minified variant of
+https://chromium.googlesource.com/chromium/src.git/+archive/74.0.3729.15/url.tar.gz,
+providing just the parts needed for `url::CanonicalizePath()`. This is intended
+to support a security release fix for CVE-2019-9901. Long term we need this to
+be moved to absl or QUICHE for upgrades and long-term support.
+
+Some specific transforms of interest:
+* The namespace `url` was changed to `chromium_url`.
+* `url_parse.h` is minified to just `Component` and flattened back into the URL
+  directory. It does not contain any non-Chromium authored code any longer and
+  so does not have a separate LICENSE.
+* `envoy_shim.h` adapts various macros to the Envoy context.
+* Anything not reachable from `url::CanonicalizePath()` has been dropped.
+* Header include paths have changed as needed.
+* BUILD was manually written.
+* Various clang-tidy and format fixes.
diff --git a/source/common/chromium_url/envoy_shim.h b/source/common/chromium_url/envoy_shim.h
@@ -0,0 +1,17 @@
+#pragma once
+
+#include "common/common/assert.h"
+
+// This is a minimal Envoy adaptation layer for the Chromium URL library.
+// NOLINT(namespace-envoy)
+
+#define DISALLOW_COPY_AND_ASSIGN(TypeName)                                                         \
+  TypeName(const TypeName&) = delete;                                                              \
+  TypeName& operator=(const TypeName&) = delete
+
+#define EXPORT_TEMPLATE_DECLARE(x)
+#define EXPORT_TEMPLATE_DEFINE(x)
+#define COMPONENT_EXPORT(x)
+
+#define DCHECK(x) ASSERT(x)
+#define NOTREACHED() NOT_REACHED_GCOVR_EXCL_LINE
diff --git a/source/common/chromium_url/url_canon.cc b/source/common/chromium_url/url_canon.cc
@@ -0,0 +1,16 @@
+// Envoy snapshot of Chromium URL path normalization, see README.md.
+// NOLINT(namespace-envoy)
+
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "common/chromium_url/url_canon.h"
+
+#include "common/chromium_url/envoy_shim.h"
+
+namespace chromium_url {
+
+template class EXPORT_TEMPLATE_DEFINE(COMPONENT_EXPORT(URL)) CanonOutputT<char>;
+
+} // namespace chromium_url