Use of grpc-stats filter with untrusted clients can cause unbounded growth of stat names

[ggreenway]

Description:
The grpc-stats filter creates stats with names based on client-provided data (grpc service/method names).

An untrusted client could send a stream of requests with unique names, causing a stat to be allocated in envoy for each one. This increases memory use, and load on the stats pipeline, and could be used to cause a denial-of-service.

[ggreenway]

cc @kyessenov

[kyessenov]

I think we should add an option to stop emitting per-method stat? WDYT?
Per-method stats are useful for trusted clients, but exposes a potential vector at the ingress.

[ggreenway]

I propose adding an optional whitelist of service/method names.

In addition to removing the potential for unbounded growth, it could also improve performance because the stats could be pre-allocated and kept in a filter-local read-only lookup table with no locking.

[mattklein123]

My advice would be to both have an option to stop emitting per-method stats and also have an option of an allow list for which service/methods are allowed. This will be the most flexible.

Even if we don't have time to implement as part of the primary PR, can we also audit all of the grpc filters for similar issues? I think we might want a common config structure we could use in other places in the future?

[ggreenway]

@kyessenov @mattklein123 here's what I have come up with for a config. Let me know what you think.

message FilterConfig {
  // If true, the filter maintains a filter state object with the request and response message
  // counts.
  bool emit_filter_state = 1;

  message ServiceAndMethods {
    message Methods {
      string service_name = 1;

      repeated string method_names = 2;
    };

    repeated Methods methods = 1;
  };

  oneof per_method_stat_mode {
    // If set, specifies a whitelist of service/methods that will have individual stats
    // emitted for them. Any call that does not match the whitelist will be counted
    // in a stat with no method specifier: cluster.<name>.grpc.*
    ServiceAndMethods stats_whitelist = 2;

    // If set, emit stats for all service/method names.
    //
    // .. attention::
    //   This option is only safe if all clients are trusted. If this option
    //   is enabled with untrusted clients, the clients could cause unbounded
    //   growth in the number of stats in Envoy, using unbounded memory and
    //   potentially slowing down stats pipelines.
    //
    // .. attention::
    //   If neither `stats_whitelist` nor `stats_for_all_methods` is set,
    //   the behavior will default to `stats_for_all_methods=true`. This default value
    //   is deprecated, and in a future release, if neither field is set, it
    //   will default to `stats_for_all_methods=false` in order to be safe by default.
    //   This behavior can be controlled with runtime override
    //   `envoy.reloadable_features.grpc_stats_filter_disable_stats_for_all_methods_by_default`.
    bool stats_for_all_methods = 3;
  }
}

[kyessenov]

LGTM. The one thing I was looking for is how to share the method white list between filters and routes. I imagine it's generally useful (e.g. rate limiting) and is much more light-weight than the protobuf descriptor.

[ggreenway]

I'll make the ServiceAndMethods message separate from this filter (put it somewhere common). Then it can be used for this, route whitelist, and other grpc-related filter stats if someone takes that on in the future.