Backport of Disable remote proxy patching except AWS Lambda into release/1.15.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #17415 to be assessed for backporting due to the inclusion of the label backport/1.15.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

To avoid unintended tampering with remote downstreams via service config, refactor BasicEnvoyExtender and RuntimeConfig to disallow typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only Validate builtin extensions.

Addresses CVE-2023-2816.

Description

This change addresses CVE-2023-2816 and prevents future bugs by refactoring Envoy extender code and RuntimeConfig to:

• Prevent all but specific allowed extensions (AWS Lambda and Validate pseudo-extension) from interacting w/ downstream proxies via upstream config.
• Clearly disambiguate between the source of Envoy extension config (local or upstream) and Envoy resource traffic direction.

Testing & Reproduction steps

• Manual verification of fix by attempted reproduction post-fix
• Tests added and updated in this PR to guard intended behavior

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern (addresses existing security concern)

---

Overview of commits

• ba18381

[hashicorp-cla]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA. If you already have a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[github-team-consul-core-pr-approver]

Auto approved Consul Bot automated PR