auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: (28 commits)
  escape invalid host name
  flip oghttp flag
  fix local reply in async client and destroy order
  internal_address_config: change the default to be more secure for service mesh environments
  jwt: fix clear route cache with remote JWKs
  basic_auth: support authorization header override (#36046)
  sec-release: update the Q3 actual security release date (#35909)
  MockDispatcher to not accidentally run on other threads (#36134)
  dns: rename `Success` to `Completed` (#36143)
  build(deps): bump protobuf from 5.28.1 to 5.28.2 in /tools/base (#36207)
  Fewer external deps (#36187)
  build(deps): bump distroless/base-nossl-debian12 from `fb10a97` to `4cc93c5` in /ci (#36206)
  Using drop_overload category in EDS to report drop_overload stats in LRS (#36047)
  python/deps: Update `cryptography` to resolve vulnerabilities (#36180)
  kafka: upgrade to 3.8, add support for more requests (#36166)
  tooling: narrowing exception checks (#36185)
  deps: Bump `rules_rust` -> 0.50.1 (#36194)
  Refactor async files library to use dispatcher for synchronization (#36063)
  upstream-filter: update default upstream filter type (#36186)
  deps: Bump `bazel_features` -> 1.17.0 (#36195)
  ...

.bazelrc

@@ -25,6 +25,7 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
+build --incompatible_merge_fixed_and_default_shell_env
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.

OWNERS.md

@@ -76,7 +76,6 @@ without further review.
 
 * All senior maintainers
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
-* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
 * Tim Walsh ([twghu](https://github.com/twghu)) (twalsh@redhat.com)
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
 * Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)

RELEASES.md

@@ -138,6 +138,6 @@ Security releases are published on a 3-monthly cycle, around the mid point betwe
 | Quarter |  Expected  |   Actual   | Difference |
 |:-------:|:----------:|:----------:|:----------:|
 | 2024 Q2 | 2024/06/04 | 2024/06/04 |   0 days   |
-| 2024 Q3 | 2024/09/03 |
+| 2024 Q3 | 2024/09/03 | 2024/09/19 |  16 days   |
 
 NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.

api/bazel/repository_locations.bzl

@@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Google APIs",
         project_desc = "Public interface definitions of Google APIs",
         project_url = "https://github.com/googleapis/googleapis",
-        version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
-        sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
-        release_date = "2023-01-10",
+        version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
+        sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
+        release_date = "2024-09-16",
         strip_prefix = "googleapis-{version}",
         urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/listener/v3/quic_config.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -94,4 +94,9 @@ message QuicProtocolOptions {
   // If not specified, no cmsg will be saved to QuicReceivedPacket.
   repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
       [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }

api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto

@@ -41,6 +41,12 @@ message BasicAuth {
   // If it is not specified, the username will not be forwarded.
   string forward_username_header = 2
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+  // This field specifies the request header to load the basic credential from.
+  //
+  // If it is not specified, the filter loads the credential from  the "Authorization" header.
+  string authentication_header = 3
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }
 
 // Extra settings that may be added to per-route configuration for

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -684,6 +684,34 @@ message HttpConnectionManager {
   // purposes. If unspecified, only RFC1918 IP addresses will be considered internal.
   // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more
   // information about internal/external addresses.
+  //
+  // .. warning::
+  //     In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
+  //     on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
+  //     you will have to manually include those addresses or CIDR ranges like:
+  //
+  // .. validated-code-block:: yaml
+  //   :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig
+  //
+  //   cidr_ranges:
+  //       address_prefix: 10.0.0.0
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: 192.168.0.0
+  //       prefix_len: 16
+  //   cidr_ranges:
+  //       address_prefix: 172.16.0.0
+  //       prefix_len: 12
+  //   cidr_ranges:
+  //       address_prefix: 127.0.0.1
+  //       prefix_len: 32
+  //   cidr_ranges:
+  //       address_prefix: fd00::
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: ::1
+  //       prefix_len: 128
+  //
   InternalAddressConfig internal_address_config = 25;
 
   // If set, Envoy will not append the remote address to the

bazel/EXTERNAL_DEPS.md

@@ -16,7 +16,7 @@ build process.
 1. Define a new Bazel repository in [`bazel/repositories.bzl`](repositories.bzl),
    in the `envoy_dependencies()` function.
 2. Reference your new external dependency in some `envoy_cc_library` via the
-   `external_deps` attribute.
+   `deps` attribute.
 3. `bazel test //test/...`
 
 ## External CMake (preferred)
@@ -28,7 +28,7 @@ This is the preferred style of adding dependencies that use CMake for their buil
 2. Add an `envoy_cmake` rule to [`bazel/foreign_cc/BUILD`](foreign_cc/BUILD). This will reference
    the source repository in step 1.
 3. Reference your new external dependency in some `envoy_cc_library` via the name bound in step 1
-   `external_deps` attribute.
+   `deps` attribute.
 4. `bazel test //test/...`
 
 # Adding external dependencies to Envoy (Python)

bazel/envoy_build_system.bzl

@@ -211,13 +211,13 @@ def envoy_proto_descriptor(name, out, srcs = [], external_deps = []):
     options.extend(["-I" + include_path for include_path in include_paths])
     options.append("--descriptor_set_out=$@")
 
-    cmd = "$(location //external:protoc) " + " ".join(options + input_files)
+    cmd = "$(location @com_google_protobuf//:protoc) " + " ".join(options + input_files)
     native.genrule(
         name = name,
         srcs = srcs,
         outs = [out],
         cmd = cmd,
-        tools = ["//external:protoc"],
+        tools = ["@com_google_protobuf//:protoc"],
     )
 
 # Dependencies on Google grpc should be wrapped with this function.

bazel/envoy_internal.bzl

@@ -166,15 +166,15 @@ def tcmalloc_external_dep(repository):
         repository + "//bazel:disable_tcmalloc": None,
         repository + "//bazel:disable_tcmalloc_on_linux_x86_64": None,
         repository + "//bazel:disable_tcmalloc_on_linux_aarch64": None,
-        repository + "//bazel:debug_tcmalloc": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:linux_x86_64": envoy_external_dep_path("tcmalloc"),
-        repository + "//bazel:linux_aarch64": envoy_external_dep_path("tcmalloc"),
-        "//conditions:default": envoy_external_dep_path("gperftools"),
+        repository + "//bazel:debug_tcmalloc": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:linux_x86_64": "@com_github_google_tcmalloc//tcmalloc",
+        repository + "//bazel:linux_aarch64": "@com_github_google_tcmalloc//tcmalloc",
+        "//conditions:default": repository + "//bazel/foreign_cc:gperftools",
     })
 
 # Select the given values if default path normalization is on in the current build.

bazel/envoy_library.bzl

@@ -24,23 +24,23 @@ def tcmalloc_external_deps(repository):
         repository + "//bazel:disable_tcmalloc": [],
         repository + "//bazel:disable_tcmalloc_on_linux_x86_64": [],
         repository + "//bazel:disable_tcmalloc_on_linux_aarch64": [],
-        repository + "//bazel:debug_tcmalloc": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:gperftools_tcmalloc": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": [envoy_external_dep_path("gperftools")],
-        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": [envoy_external_dep_path("gperftools")],
+        repository + "//bazel:debug_tcmalloc": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:gperftools_tcmalloc": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": [repository + "//bazel/foreign_cc:gperftools"],
+        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": [repository + "//bazel/foreign_cc:gperftools"],
         repository + "//bazel:linux_x86_64": [
-            envoy_external_dep_path("tcmalloc"),
-            envoy_external_dep_path("tcmalloc_profile_marshaler"),
-            envoy_external_dep_path("tcmalloc_malloc_extension"),
+            "@com_github_google_tcmalloc//tcmalloc",
+            "@com_github_google_tcmalloc//tcmalloc:profile_marshaler",
+            "@com_github_google_tcmalloc//tcmalloc:malloc_extension",
         ],
         repository + "//bazel:linux_aarch64": [
-            envoy_external_dep_path("tcmalloc"),
-            envoy_external_dep_path("tcmalloc_profile_marshaler"),
-            envoy_external_dep_path("tcmalloc_malloc_extension"),
+            "@com_github_google_tcmalloc//tcmalloc",
+            "@com_github_google_tcmalloc//tcmalloc:profile_marshaler",
+            "@com_github_google_tcmalloc//tcmalloc:malloc_extension",
         ],
-        "//conditions:default": [envoy_external_dep_path("gperftools")],
+        "//conditions:default": [repository + "//bazel/foreign_cc:gperftools"],
     })
 
 # Envoy C++ library targets that need no transformations or additional dependencies before being

bazel/envoy_pch.bzl

@@ -27,8 +27,8 @@ def envoy_pch_library(
         name,
         includes,
         deps,
-        external_deps,
         visibility,
+        external_deps = [],
         testonly = False,
         repository = ""):
     native.cc_library(

bazel/envoy_test.bzl

@@ -40,7 +40,7 @@ def _envoy_cc_test_infrastructure_library(
     extra_deps = []
     pch_copts = []
     if disable_pch:
-        extra_deps = [envoy_external_dep_path("googletest")]
+        extra_deps = ["@com_google_googletest//:gtest"]
     else:
         extra_deps = envoy_pch_deps(repository, "//test:test_pch")
         pch_copts = envoy_pch_copts(repository, "//test:test_pch")
@@ -175,9 +175,10 @@ def envoy_cc_test(
         linkopts = _envoy_test_linkopts() + linkopts,
         linkstatic = envoy_linkstatic(),
         malloc = tcmalloc_external_dep(repository),
-        deps = envoy_stdlib_deps() + deps + [envoy_external_dep_path(dep) for dep in external_deps + ["googletest"]] + [
+        deps = envoy_stdlib_deps() + deps + [envoy_external_dep_path(dep) for dep in external_deps] + [
             repository + "//test:main",
             repository + "//test/test_common:test_version_linkstamp",
+            "@com_google_googletest//:gtest",
         ] + envoy_pch_deps(repository, "//test:test_pch"),
         # from https://github.com/google/googletest/blob/6e1970e2376c14bf658eb88f655a054030353f9f/googlemock/src/gmock.cc#L51
         # 2 - by default, mocks act as StrictMocks.

bazel/external/cargo/remote/BUILD.protobuf-2.24.1.bazel

@@ -33,7 +33,7 @@ licenses([
 # buildifier: disable=out-of-order-load
 # buildifier: disable=load-on-top
 load(
-    "@rules_rust//cargo:cargo_build_script.bzl",
+    "@rules_rust//cargo:defs.bzl",
     "cargo_build_script",
 )
 

bazel/external/quiche.BUILD

@@ -2460,10 +2460,7 @@ envoy_quic_cc_library(
         "quiche/quic/core/crypto/quic_compressed_certs_cache.h",
         "quiche/quic/core/crypto/transport_parameters.h",
     ],
-    external_deps = [
-        "ssl",
-        "zlib",
-    ],
+    external_deps = ["ssl"],
     tags = [
         "pg3",
     ],
@@ -2489,6 +2486,7 @@ envoy_quic_cc_library(
         ":quic_core_utils_lib",
         ":quic_core_versions_lib",
         ":quic_platform",
+        "@envoy//bazel/foreign_cc:zlib",
     ],
 )
 
@@ -2502,9 +2500,6 @@ envoy_quic_cc_library(
         "quiche/quic/core/crypto/quic_client_session_cache.h",
         "quiche/quic/core/crypto/quic_crypto_client_config.h",
     ],
-    external_deps = [
-        "zlib",
-    ],
     tags = [
         "pg3",
     ],
@@ -2513,6 +2508,7 @@ envoy_quic_cc_library(
         ":quic_core_crypto_client_proof_source_lib",
         ":quic_core_crypto_crypto_handshake_lib",
         ":quiche_common_platform_client_stats",
+        "@envoy//bazel/foreign_cc:zlib",
     ],
 )
 
@@ -2524,10 +2520,7 @@ envoy_quic_cc_library(
     hdrs = [
         "quiche/quic/core/crypto/quic_crypto_server_config.h",
     ],
-    external_deps = [
-        "ssl",
-        "zlib",
-    ],
+    external_deps = ["ssl"],
     tags = [
         "pg3",
     ],
@@ -2536,6 +2529,7 @@ envoy_quic_cc_library(
         ":quic_core_proto_crypto_server_config_proto_header",
         ":quic_core_server_id_lib",
         ":quic_server_crypto_tls_handshake_lib",
+        "@envoy//bazel/foreign_cc:zlib",
     ],
 )
 
@@ -2658,9 +2652,7 @@ envoy_quic_cc_library(
     name = "quic_core_crypto_proof_source_x509_lib",
     srcs = ["quiche/quic/core/crypto/proof_source_x509.cc"],
     hdrs = ["quiche/quic/core/crypto/proof_source_x509.h"],
-    external_deps = [
-        "ssl",
-    ],
+    external_deps = ["ssl"],
     deps = [
         ":quic_core_crypto_certificate_view_lib",
         ":quic_core_crypto_crypto_handshake_lib",

bazel/foreign_cc/BUILD

@@ -310,8 +310,8 @@ envoy_cmake(
     deps = [
         ":ares",
         ":nghttp2",
+        ":zlib",
         "//external:ssl",
-        "//external:zlib",
     ],
 )
 

bazel/protobuf.patch

@@ -101,12 +101,12 @@ index e7555ee10..a93beb1c5 100644
 diff --git a/src/google/protobuf/io/BUILD.bazel b/src/google/protobuf/io/BUILD.bazel
 --- a/src/google/protobuf/io/BUILD.bazel
 +++ b/src/google/protobuf/io/BUILD.bazel
-@@ -138,7 +138,7 @@ cc_library(
+@@ -138,6 +138,6 @@ cc_library(
          "@com_google_absl//absl/log:absl_log",
      ] + select({
          "//build_defs:config_msvc": [],
 -        "//conditions:default": ["@zlib"],
-+        "//conditions:default": ["//external:zlib"],
++        "//conditions:default": ["@envoy//bazel/foreign_cc:zlib"],
      }),
  )