kgateway-dev · davidjumani · Jun 14, 2024 · Jun 14, 2024 · Jun 14, 2024 · Jun 14, 2024
diff --git a/changelog/v1.16.16/add-host-rewrite-header.yaml b/changelog/v1.16.16/add-host-rewrite-header.yaml
@@ -0,0 +1,11 @@
+changelog:
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/9579
+  resolvesIssue: false
+  description: >-
+    Adds the `host_rewrite_header` to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source.
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/9622
+  resolvesIssue: true
+  description: >-
+    Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation `requestHeadersToAdd` parameter. This resulted in envoy throwing an `invalid header name` error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy.
diff --git a/.../reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk.md b/.../reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk.md
diff --git a/docs/content/static/content/osa_provided.md b/docs/content/static/content/osa_provided.md
@@ -43,9 +43,9 @@ Name|Version|License
 [spf13/pflag](https://github.com/spf13/pflag)|v1.0.5|BSD 3-clause "New" or "Revised" License
 [spf13/viper](https://github.com/spf13/viper)|v1.8.1|MIT License
 [go.opencensus.io](https://go.opencensus.io)|v0.24.0|Apache License 2.0
-[go.uber.org/goleak](https://go.uber.org/goleak)|v1.2.1|MIT License
+[go.uber.org/goleak](https://go.uber.org/goleak)|v1.3.0|MIT License
 [go.uber.org/multierr](https://go.uber.org/multierr)|v1.11.0|MIT License
-[go.uber.org/zap](https://go.uber.org/zap)|v1.25.0|MIT License
+[go.uber.org/zap](https://go.uber.org/zap)|v1.27.0|MIT License
 [x/crypto](https://golang.org/x/crypto)|v0.17.0|BSD 3-clause "New" or "Revised" License
 [x/exp](https://golang.org/x/exp)|v0.0.0-20220921164117-439092de6870|BSD 3-clause "New" or "Revised" License
 [x/sync](https://golang.org/x/sync)|v0.3.0|BSD 3-clause "New" or "Revised" License

diff --git a/go.mod b/go.mod
@@ -63,9 +63,9 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.8.1
 	go.opencensus.io v0.24.0
-	go.uber.org/goleak v1.2.1
+	go.uber.org/goleak v1.3.0
 	go.uber.org/multierr v1.11.0
-	go.uber.org/zap v1.25.0
+	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.17.0
 	golang.org/x/sync v0.3.0
 	golang.org/x/tools v0.10.0

diff --git a/go.sum b/go.sum
@@ -709,8 +709,6 @@ github.com/aws/aws-sdk-go v1.34.9 h1:cUGBW9CVdi0mS7K1hDzxIqTpfeWhpoQiguq81M1tjK0
 github.com/aws/aws-sdk-go v1.34.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
-github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -1986,8 +1984,9 @@ go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpK
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo=
-go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -1998,8 +1997,8 @@ go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
-go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
-go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 goji.io v2.0.0+incompatible/go.mod h1:sbqFwrtqZACxLBTQcdgVjFh54yGVCvwq8+w49MVMMIk=
 goji.io v2.0.2+incompatible/go.mod h1:sbqFwrtqZACxLBTQcdgVjFh54yGVCvwq8+w49MVMMIk=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml
@@ -384,6 +384,9 @@ spec:
                     type: object
                   hostRewrite:
                     type: string
+                  hostRewriteHeader:
+                    nullable: true
+                    type: string
                   hostRewritePathRegex:
                     properties:
                       pattern:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml
@@ -493,6 +493,9 @@ spec:
                           type: object
                         hostRewrite:
                           type: string
+                        hostRewriteHeader:
+                          nullable: true
+                          type: string
                         hostRewritePathRegex:
                           properties:
                             pattern:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml
@@ -2907,6 +2907,9 @@ spec:
                               type: object
                             hostRewrite:
                               type: string
+                            hostRewriteHeader:
+                              nullable: true
+                              type: string
                             hostRewritePathRegex:
                               properties:
                                 pattern:

diff --git a/pkg/utils/api_conversion/type.go b/pkg/utils/api_conversion/type.go
@@ -7,6 +7,7 @@ import (
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	envoytype_gloo "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/utils/headers"
 	envoycore_sk "github.com/solo-io/solo-kit/pkg/api/external/envoy/api/v2/core"
 	"github.com/solo-io/solo-kit/pkg/errors"
 )
@@ -71,6 +72,15 @@ func ToEnvoyHeaderValueOptionList(option []*envoycore_sk.HeaderValueOption, secr
 	return result, nil
 }
 
+// validateCustomHeaders checks whether the custom header is allowed to be modified as per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#custom-request-response-headers
+// and validates the whether the header will be accepted by envoy
+func validateCustomHeaders(header envoycore_sk.HeaderValue) error {
+	if err := CheckForbiddenCustomHeaders(header); err != nil {
+		return err
+	}
+	return headers.ValidateHeaderKey(header.GetKey())
+}
+
 // CheckForbiddenCustomHeaders checks whether the custom header is allowed to be modified as per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#custom-request-response-headers
 func CheckForbiddenCustomHeaders(header envoycore_sk.HeaderValue) error {
 	key := header.GetKey()
@@ -90,7 +100,7 @@ func ToEnvoyHeaderValueOptions(option *envoycore_sk.HeaderValueOption, secrets *
 
 	switch typedOption := option.GetHeaderOption().(type) {
 	case *envoycore_sk.HeaderValueOption_Header:
-		if err := CheckForbiddenCustomHeaders(*typedOption.Header); err != nil {
+		if err := validateCustomHeaders(*typedOption.Header); err != nil {
 			return nil, err
 		}
 		return []*envoy_config_core_v3.HeaderValueOption{

diff --git a/projects/gloo/api/v1/options.proto b/projects/gloo/api/v1/options.proto
@@ -410,6 +410,11 @@ message RouteOptions {
         // Indicates that during forwarding, the host header will be swapped with the result of the regex
         // substitution executed on path value with query and fragment removed.
         .solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 101;
+
+        // Indicates that during forwarding, the host header will be swapped with the content of given downstream or custom header.
+        // If header value is empty, host header is left intact.
+        // Using this option will append the x-forwarded-host header if append_x_forwarded_host is set.
+        google.protobuf.StringValue host_rewrite_header = 147;
     };
     // If true and there is a host rewrite, appends the x-forwarded-host header to requests.
     google.protobuf.BoolValue append_x_forwarded_host = 146;

diff --git a/projects/gloo/pkg/api/v1/options.pb.clone.go b/projects/gloo/pkg/api/v1/options.pb.clone.go
diff --git a/projects/gloo/pkg/api/v1/options.pb.equal.go b/projects/gloo/pkg/api/v1/options.pb.equal.go