solo-io/gloo

Invalid UTF-8 in Apikeys leaks through and stops translation

kevin-shelaga opened this issue · 4 comments

kevin-shelaga commented

Gloo Edge Product

Enterprise

Gloo Edge Version

1.17.1

Kubernetes Version

1.28

Describe the bug

If apikey auth is used and one of the apikey secret data is badly encoded it can cause a dpanic in gloo.

{"level":"dpanic","ts":"2024-09-25T21:46:52.187Z","logger":"gloo-ee.v1.event_loop.setup.gloosnapshot.event_loop.extAuthTranslatorSyncer","caller":"extauth/extauth_translator_syncer.go:111","msg":"error trying to hash snapshot resources for extauth translation","version":"1.17.1","error":"marshalling envoy snapshot components: string field contains invalid UTF-8","errorVerbose":"marshalling envoy snapshot components\n\tgloosnapshot.ApiSyncers.Sync:/go/pkg/mod/github.com/solo-io/gloo@v1.17.4/projects/gloo/pkg/api/v1/gloosnapshot/api_event_loop.sk.go:50\n\tsyncer.(*translatorSyncer).Sync:/go/pkg/mod/github.com/solo-io/gloo@v1.17.4/projects/gloo/pkg/syncer/translator_syncer.go:139\n\tsyncer.(*translatorSyncer).syncExtensions:/go/pkg/mod/github.com/solo-io/gloo@v1.17.4/projects/gloo/pkg/syncer/translator_syncer.go:165\n\textauth.(*translatorSyncerExtension).Sync:/go/src/github.com/solo-io/solo-projects/projects/gloo/pkg/syncer/extauth/extauth_translator_syncer.go:109\n\ttranslator.EnvoyCacheResourcesListToFnvHa...
{"level":"dpanic","ts":"2024-09-25T21:47:03.282Z","caller":"translator/translator.go:348","msg":"marshalling envoy snapshot components: string field contains invalid UTF-8","stacktrace":"[github.com/solo-io/gloo/projects/gloo/pkg/translator.EnvoyCacheResourcesListToFnvHash](http://github.com/solo-io/gloo/projects/gloo/pkg/translator.EnvoyCacheResourcesListToFnvHash)\n\t/go/pkg/mod/github.com/solo-io/gloo@v1.17.4/projects/gloo/pkg/translator/translator.go:348\ngithub.com/solo-io/solo-projects/projects/gloo/pkg/syncer/extauth.(*translatorSyncerExtension).Sync\n\t/go/src/github.com/solo-io/solo-projects/projects/gloo/pkg/syncer/extauth/extauth_translator_syncer.go:109\ngithub.com/solo-io/gloo/projects/gloo/pkg/syncer.(*translatorSyncer).syncExtensions\n\t/go/pkg/mod/github.com/solo-io/gloo@v1.17.4/projects/gloo/pkg/syncer/translator_syncer.go:165\ngithub.com/solo-io/gloo/projects/gloo/pkg/syncer.(*translatorSyncer).Sync\n\t/go/pkg/mod/github.com/solo-io/gloo@v1.17.4/projects/gloo/pkg/syncer/translator_syncer.go:139\ngithub.com/solo-io/gloo/projects/gloo/pkg/api/v1/gloosnapshot.ApiSyncers.Sync\n\t/go/pkg

Expected Behavior

Gloo should log an error and not crash

Steps to reproduce the bug

secret snippet

data:
  api-key: zde1ogq5ngqtztqzys00nzvlltkyyzitywu2ywy5ytdlzjzm
type: extauth.solo.io/apikey

Additional Environment Detail

No response

Additional Context

Envoy config dump found here: https://solo-io.zendesk.com/agent/tickets/4585

┆Issue is synchronized with this Asana task by Unito

soloio-bot commented

Zendesk ticket #4585 has been linked to this issue.

nfuden commented

dpanic isnt a crash though... it only panics when set to debug mode?

That being said this can stall translation as the final syncer cannot complete.

Confirmed that our current hasher does not have a clean step to elide non-utf8.

We may want to do something better with our CRD -> proto conversion as it shouldnt let non-utf8 through in general