fuzz: replace invalid characters in upstream metadata for header parser

[asraa]

Replace invalid header characters in filter metadata strings.

Risk Level: Low
Testing: Add corpus entry
Fixes OSS-Fuzz issue:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15555

[junr03]

@venilnoronha can you give this a first pass?

[venilnoronha]

@junr03 will do.

[venilnoronha]

@asraa I don't seem to have access to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15555. Can you grant me/fill me about what exactly this PR is fixing?

[asraa]

@asraa I don't seem to have access to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15555. Can you grant me/fill me about what exactly this PR is fixing?

Yes! Sorry about that. The added testcase causes a crash because of the null character here. Because we are trying to add an "%UPSTREAM_METADATA(...)" header, we move the values of the metadata into headers, and this crashes since headers must be "valid()" (not contain null / newline characters). Here's the stack trace:

[2019-06-08 14:53:26.859][1][critical][assert] [source/common/http/header_map_impl.cc:209] assert failure: valid().
  | AddressSanitizer:DEADLYSIGNAL
  | =================================================================
  | ==1==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000001 (pc 0x7fadbb19c428 bp 0x7ffe42257b30 sp 0x7ffe42257968 T0)
  | SCARINESS: 10 (signal)
  | #0 0x7fadbb19c427 in gsignal /build/glibc-LK5gWL/glibc-2.23/sysdeps/unix/sysv/linux/raise.c:54
  | #1 0x7fadbb19e029 in abort /build/glibc-LK5gWL/glibc-2.23/stdlib/abort.c:89
  | #2 0x1c0c23e in Envoy::Http::HeaderString::setCopy(char const*, unsigned int) /proc/self/cwd/source/common/http/header_map_impl.cc:0
  | #3 0x1c110b3 in Envoy::Http::HeaderMapImpl::setReferenceKey(Envoy::Http::LowerCaseString const&, std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator > const&) /proc/self/cwd/source/common/http/header_map_impl.cc:448:13
  | #4 0x148fd60 in Envoy::Router::HeaderParser::evaluateHeaders(Envoy::Http::HeaderMap&, Envoy::StreamInfo::StreamInfo const&) const /proc/self/cwd/source/common/router/header_parser.cc:269:17
  | #5 0x504e16 in Envoy::Fuzz::(anonymous namespace)::TestOneProtoInput(test::common::router::TestCase const&) /proc/self/cwd/test/common/router/header_parser_fuzz_test.cc:25:13

[venilnoronha]

Do you think we need to handle other recursive types (struct, list, etc.) here?

https://github.com/protocolbuffers/protobuf/blob/2d61b9edd95a688a720132cde6af536fd5b5dc7a/src/google/protobuf/struct.proto#L73-L76

[asraa]

I wasn't too concerned with this as an issue to fuzz over since metadata usually comes from the config (e.g. listenerMetadata(), or routeEntry metadata) or from the connection's streaminfo, so it'd be on the onus of the one configuring Envoy to make sure there's no NUL characters. I would have handled them only if the fuzzer gets blocked on them, but I'm not sure how complicated the fuzzer will get for this case. I could handle them, though, if you think it'd be easier to get done in one PR

[venilnoronha]

I think we can skip this for now then. @junr03 thoughts?

[asraa]

hey! just a ping, would love to move forward.
thanks!

[dio]

@asraa could you please leave a note related to the discussion above? Thanks!

[asraa]

Done! Thank you.

[venilnoronha]

Not sure if it's required. Do you think we need test cases for recursive (struct, list, etc.) types?

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[venilnoronha]

s/It may/It may (two space characters between It and may)

[asraa]

/retest

[repokitteh-read-only]

🔨 rebuilding ci/circleci: asan (failed build)

🐱

Caused by: a #7436 (comment) was created by @asraa.

see: more, trace.

[dio]

🎉