unvalidated user defined headers dangerous

[alyssawilk]

After looking at #4245 I started wondering if we could set up user defined headers which would tickle our new release assert (and formerly OOM). At least in unit test (coming soon) we can.

While hopefully there's sanity checking of user defined config before it hits Envoy, I also think we need some sane limits on user defined headers to reduce the likelihood of malicious users configuring themselves an Envoy Query of Death.

By default I think I'd like a smallish limit on number of user defined headers, length of individual header lines and maybe another one on total header size. I'd lean towards starting restrictive and allowing configuring permissiveness as folks need it but this could break existing behavior so needs some discussion.

@envoyproxy/maintainers

[alyssawilk]

@curiouserrandy @PiotrSikora (for folks looking at user defined headers, and not breaking Istio respectively.)

[mattklein123]

@alyssawilk is there more to do here?

[alyssawilk]

Yes, I believe we should limit the both the number of headers we are willing to alter and the size we are willing to alter. It's still trivial to configure a user-defined-header config which will cause Envoy crashes and better to put limits in Envoy rather than making everyone do their own. I think we can get most of the way there by adding max_bytes and max_items validation on the proto, but there may be other expensive corner cases. I can take those two at least

[mattklein123]

Sure sounds good. No rush.