Line data    Source code

       1             : #pragma once
       2             : 
       3             : #include "envoy/server/factory_context.h"
       4             : 
       5             : namespace Envoy {
       6             : namespace Extensions {
       7             : namespace Http {
       8             : namespace HeaderValidators {
       9             : namespace EnvoyDefault {
      10             : 
      11             : struct ConfigOverrides {
      12         196 :   ConfigOverrides() = default;
      13             :   ConfigOverrides(const Envoy::Runtime::Snapshot& snapshot)
      14             :       : reject_percent_00_(snapshot.getBoolean("envoy.uhv.reject_percent_00", true)),
      15             :         preserve_url_encoded_case_(
      16             :             snapshot.getBoolean("envoy.uhv.preserve_url_encoded_case", true)),
      17             :         allow_non_compliant_characters_in_path_(
      18           0 :             snapshot.getBoolean("envoy.uhv.allow_non_compliant_characters_in_path", true)) {}
      19             : 
      20             :   // This flag enables check for the %00 sequence in the URL path. If this sequence is
      21             :   // found request is rejected as invalid. This check requires path normalization to be
      22             :   // enabled to occur.
      23             :   // https://datatracker.ietf.org/doc/html/rfc3986#section-2.1 allows %00 sequence, and
      24             :   // this check is implemented for backward compatibility with legacy path normalization
      25             :   // only.
      26             :   //
      27             :   // This option currently is `true` by default and can be overridden using the
      28             :   // "envoy.uhv.reject_percent_00" runtime value. Note that the default value
      29             :   // will be changed to `false` in the future to make it RFC compliant.
      30             :   const bool reject_percent_00_{true};
      31             : 
      32             :   // This flag enables preservation of the case of percent-encoded triplets in URL path for
      33             :   // compatibility with legacy path normalization.
      34             :   // https://datatracker.ietf.org/doc/html/rfc3986#section-2.1 mandates that uppercase
      35             :   // hexadecimal digits (A through F) are equivalent to lowercase.
      36             :   // However to make path matching of percent-encoded triplets easier path normalization changes all
      37             :   // hexadecimal digits to uppercase.
      38             :   //
      39             :   // This option currently is `true` by default and can be overridden using the
      40             :   // "envoy.uhv.preserve_url_encoded_case" runtime value. Note that the default value
      41             :   // will be changed to `false` in the future to make it easier to write path matchers that
      42             :   // look for percent-encoded triplets.
      43             :   const bool preserve_url_encoded_case_{true};
      44             : 
      45             :   // This flag enables validation of the :path header character set compatible with legacy Envoy
      46             :   // codecs. When this flag is false header validator checks the URL path in accordance with the
      47             :   // https://datatracker.ietf.org/doc/html/rfc3986#section-3.3 RFC.
      48             :   //
      49             :   // This option currently is `true` by default and can be overridden using the
      50             :   // "envoy.uhv.allow_non_compliant_characters_in_path" runtime value. Note that the default value
      51             :   // will be changed to `false` in the future to make Envoy behavior standard compliant and
      52             :   // consistent across all HTTP protocol versions.
      53             :   //
      54             :   // In the relaxed mode header validator allows the following additional characters:
      55             :   // HTTP/1 protocol: " < > [ ] ^ ` { } \ | #
      56             :   // HTTP/2 and HTTP/3 protocols: all characters allowed for HTTP/1, space, TAB
      57             :   // HTTP/2 protocol: also allows all extended ASCII (>= 0x80)
      58             :   //
      59             :   // NOTE: the " < > [ ] ^ ` { } \ | characters are not explicitly prohibited by the RFC-3986, they
      60             :   // are just not part of any defined set. # is only allowed as a fragment separator. Extended
      61             :   // ASCII, space, TAB are prohibited.
      62             :   //
      63             :   // In addition when this flag is true AND path normalization is enabled, Envoy will do the
      64             :   // following:
      65             :   // 1. all additionally allowed characters with the exception of the [] and \ characters are
      66             :   // percent encoded in the path segment of the URL only. These characters in query or fragment will
      67             :   // remain unencoded.
      68             :   // 2. \ character is translated to / in path segment.
      69             :   //
      70             :   // This option provides backward compatibility with the existing (pre header validator) Envoy
      71             :   // behavior. Envoy's legacy codecs were not compliant with the
      72             :   // https://datatracker.ietf.org/doc/html/rfc3986#section-3.3
      73             :   //
      74             :   // With the `envoy.uhv.allow_non_compliant_characters_in_path` set to false the header validator
      75             :   // rejects requests with characters not allowed by the RFC in the :path header.
      76             :   const bool allow_non_compliant_characters_in_path_{true};
      77             : };
      78             : 
      79             : } // namespace EnvoyDefault
      80             : } // namespace HeaderValidators
      81             : } // namespace Http
      82             : } // namespace Extensions
      83             : } // namespace Envoy