enable mitigation for CVE-2020-TBD (#862)

Signed-off-by: Xuyang Tao <[email protected]>
GoogleCloudPlatform · Oct 16, 2023 · beb45aa · beb45aa
1 parent f06b698
commit beb45aa
Show file tree

Hide file tree

Showing 8 changed files with 14 additions and 0 deletions.
diff --git a/examples/auth/envoy_config.json b/examples/auth/envoy_config.json
@@ -6,6 +6,7 @@
         "name": "static-runtime",
         "staticLayer": {
           "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle": 1,
           "re2.max_program_size.error_level": 1000
         }
       }

diff --git a/examples/dynamic_routing/envoy_config.json b/examples/dynamic_routing/envoy_config.json
@@ -6,6 +6,7 @@
         "name": "static-runtime",
         "staticLayer": {
           "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle": 1,
           "re2.max_program_size.error_level": 1000
         }
       }

diff --git a/examples/grpc_dynamic_routing/envoy_config.json b/examples/grpc_dynamic_routing/envoy_config.json
@@ -6,6 +6,7 @@
         "name": "static-runtime",
         "staticLayer": {
           "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle": 1,
           "re2.max_program_size.error_level": 1000
         }
       }

diff --git a/examples/service_control/envoy_config.json b/examples/service_control/envoy_config.json
@@ -6,6 +6,7 @@
         "name": "static-runtime",
         "staticLayer": {
           "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle": 1,
           "re2.max_program_size.error_level": 1000
         }
       }

diff --git a/examples/testdata/route_match/envoy_config.json b/examples/testdata/route_match/envoy_config.json
@@ -6,6 +6,7 @@
         "name": "static-runtime",
         "staticLayer": {
           "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle": 1,
           "re2.max_program_size.error_level": 1000
         }
       }

diff --git a/examples/testdata/sidecar_backend/envoy_config.json b/examples/testdata/sidecar_backend/envoy_config.json
@@ -6,6 +6,7 @@
         "name": "static-runtime",
         "staticLayer": {
           "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle": 1,
           "re2.max_program_size.error_level": 1000
         }
       }

diff --git a/src/go/bootstrap/ads/bootstrap_test.go b/src/go/bootstrap/ads/bootstrap_test.go
@@ -71,6 +71,7 @@ func TestCreateBootstrapConfig(t *testing.T) {
             "name": "static-runtime",
             "staticLayer": {
               "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle":1,
               "re2.max_program_size.error_level":1000
             }
          }
@@ -172,6 +173,7 @@ func TestCreateBootstrapConfig(t *testing.T) {
             "name": "static-runtime",
             "staticLayer": {
               "envoy.reloadable_features.prohibit_route_refresh_after_response_headers_sent": false,
+          "http.max_requests_per_io_cycle":1,
               "re2.max_program_size.error_level":1000
             }
          }

diff --git a/src/go/bootstrap/layer_runtime.go b/src/go/bootstrap/layer_runtime.go
@@ -44,6 +44,12 @@ func CreateLayeredRuntime() *bootstrappb.LayeredRuntime {
 									BoolValue: false,
 								},
 							},
+							// Enable an Envoy vulnerability mitigation. For details, please see b/299661830.
+							"http.max_requests_per_io_cycle": {
+								Kind: &structpb.Value_NumberValue{
+									NumberValue: 1,
+								},
+							},
 						},
 					},
 				},