Summary
ProcessorClientImpl::start() in source/extensions/filters/common/ext_proc/grpc_client_impl.h returns nullptr without invoking onGrpcError or onGrpcClose when getOrCreateRawAsyncClientWithHashKey() returns an error (e.g. cluster lookup failure, raw async-client construction failure). The downstream Filter::openStream() in source/extensions/filters/http/ext_proc/ext_proc.cc treats stream_object == nullptr with no prior callback as IgnoreError and short-circuits the request through — regardless of the operator's failure_mode_allow setting.
Net effect: any failure_mode_allow=false deployment silently fails open on client-creation errors instead of rejecting the request as configured.
Filed in the open per maintainer redirect
Originally reported privately via GHSA-jp7j-jw2q-9494. @yanjunxiang-google closed the advisory and asked for this to land in the open as a regular bug fix since the issue is not externally exploitable (only fires on operator-side configuration errors).
Reproduction
- Configure ext_proc filter with
failure_mode_allow: false.
- Point ext_proc at a non-existent cluster (or any config that causes
getOrCreateRawAsyncClientWithHashKey() to error).
- Send a request through the filter.
- Expected: request rejected per
failure_mode_allow=false.
- Actual: request admitted (filter silently continues).
Proposed fix
PR forthcoming. Adds callbacks.onGrpcError(Internal, ...) on the failure branch in ProcessorClientImpl::start(), gated behind envoy.reloadable_features.ext_proc_report_client_creation_error (default true) per CONTRIBUTING.md guidance for user-visible protocol-processing changes.
Summary
ProcessorClientImpl::start()insource/extensions/filters/common/ext_proc/grpc_client_impl.hreturnsnullptrwithout invokingonGrpcErrororonGrpcClosewhengetOrCreateRawAsyncClientWithHashKey()returns an error (e.g. cluster lookup failure, raw async-client construction failure). The downstreamFilter::openStream()insource/extensions/filters/http/ext_proc/ext_proc.cctreatsstream_object == nullptrwith no prior callback asIgnoreErrorand short-circuits the request through — regardless of the operator'sfailure_mode_allowsetting.Net effect: any
failure_mode_allow=falsedeployment silently fails open on client-creation errors instead of rejecting the request as configured.Filed in the open per maintainer redirect
Originally reported privately via GHSA-jp7j-jw2q-9494. @yanjunxiang-google closed the advisory and asked for this to land in the open as a regular bug fix since the issue is not externally exploitable (only fires on operator-side configuration errors).
Reproduction
failure_mode_allow: false.getOrCreateRawAsyncClientWithHashKey()to error).failure_mode_allow=false.Proposed fix
PR forthcoming. Adds
callbacks.onGrpcError(Internal, ...)on the failure branch inProcessorClientImpl::start(), gated behindenvoy.reloadable_features.ext_proc_report_client_creation_error(defaulttrue) per CONTRIBUTING.md guidance for user-visible protocol-processing changes.