New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
extauthz can't send header values that contains characters of the extended ASCII codes #22996
Comments
Because the type of header value is string and it's different with bytes in proto. See similar problem. #13131 |
Hi @wbpcode, Yes, I already saw the case with the body and how the this would be possible? Thanks in advance. |
I'd like to try and add similar functionality to /assign @RiverPhillips |
RiverPhillips is not allowed to assign users. |
Putting here for discussion: seems like Envoy currently "accepts" non-ASCII header values, which probably shouldn't (?). Reference: https://stackoverflow.com/a/48138818 (Non-ASCII characters are deprecated. You can send them, but there's no guarantee that the recipient will do what you expect it to). Note: a envoy/api/envoy/config/core/v3/base.proto Line 327 in 0d05963
|
Yeah, it seems like the sender would need to encode their headers to send non-ASCII characters as defined in rfc8187 |
I have also run into this issue a few times. That said, where it differs for me is in that it seems to work fine with any utf-8 characters. e.g. I sent the cookie character: 🍪 using its utf-8 encoding: This aligns with my reading of the protobuf code, and with the error message. I'm not sure why the ñ is somehow breaking it. Is it perhaps not encoded as utf-8? Either way, I think that regardless of the validity of the header, the portion of the envoy pipeline responsible for trigger the ext-authz service should be somewhat lenient so that the service itself can decide what to do with the header. This is particularly important for clients/servers which may be substandard in their standards-adherence, but for which a reverse proxy is the only reasonable method to make them work over the Internet. |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
No stale. |
@MiguelAng86 could you share your config and also the HTTP client you used? I tested this quickly (sorry was not able to report this earlier). I can inspect the check request payload (to a gRPC auth server) has the following entry (no protobuf "encoding" failure):
This is done by running (envoy v1.21.4): envoy -c examples/ext_authz/config/grpc-service/v3.yaml -l trace with a slight change to diff --git a/examples/ext_authz/config/grpc-service/v3.yaml b/examples/ext_authz/config/grpc-service/v3.yaml
index f9e2bea51c..81b5b43cfd 100644
--- a/examples/ext_authz/config/grpc-service/v3.yaml
+++ b/examples/ext_authz/config/grpc-service/v3.yaml
@@ -62,5 +62,5 @@ static_resources:
- endpoint:
address:
socket_address:
- address: ext_authz-grpc-service
+ address: localhost Then sending the request (with that curl -H "example-header: España" localhost:8000 --verbose The full relevant log:
|
I can reproduce it using something like this:
I think the issue here is that it's an invalid utf-8 encoding. I don't know why OP's seemingly good header doesn't work, but I do see cases with garbage values occasionally causing this problem in production. This seems to happen for us when some misbehaving serverside code puts a bad cookie on a domain. Users who hit that case are stuck. Obviously we should fix said misbehaving code, but that cookie being problematic should really only affect the subsystems depending on it, not our core authz subsystem. |
Thanks, @klarose. Will check this. |
Description:
Hi, when I send a request with postman against envoy that contains a header value with any character of the extended ASCII codes, envoy shows this log:
[libprotobuf ERROR external/com_google_protobuf/src/google/protobuf/wire_format_lite.cc:581] String field 'envoy.service.auth.v3.AttributeContext.HttpRequest.HeadersEntry.value' contains invalid UTF-8 data when serializing a protocol buffer. Use the 'bytes' type if you intend to send raw bytes.
I'm using envoy version 1.21.4.
The request contains this value:
example-header: España
Thanks in advance.
The text was updated successfully, but these errors were encountered: