Skip to content

mcp_json_rest_bridge: reject path traversal in path-template variables#46067

Open
davidvo-lyft wants to merge 1 commit into
envoyproxy:mainfrom
davidvo-lyft:davidvo/45931-mcp-path-traversal
Open

mcp_json_rest_bridge: reject path traversal in path-template variables#46067
davidvo-lyft wants to merge 1 commit into
envoyproxy:mainfrom
davidvo-lyft:davidvo/45931-mcp-path-traversal

Conversation

@davidvo-lyft

Copy link
Copy Markdown
Contributor

The constructed upstream :path is installed verbatim (Envoy does not re-normalize it), so an unauthenticated client could inject ./.. segments through a path-template variable value and reach unintended upstream endpoints. This rejects ./.. traversal segments in every template variable value, and additionally percent-encodes / in simple variables ({id}) so they cannot span segments.

Scope is deliberately limited to traversal. Two related items I'd like maintainer/security input on before extending (kept out of this PR to keep it reviewable):

  • Wildcard variables ({name=projects/*}) are not validated against their declared pattern, so extra path segments (no ..) can still be injected.
  • Backslash segments are only mitigated by percent-encoding, not the segment check.

Risk Level: Low (extension is alpha; change contained to http_request_builder)
Testing: http_request_builder_test — new red->green cases covering traversal rejection and slash encoding.
Docs Changes: n/a
Release Notes: changelog added

Fixes #45931

The constructed upstream :path is installed verbatim (not re-normalized by
Envoy), so an unauthenticated client could inject '.'/'..' segments through
a path-template variable value and reach unintended upstream endpoints.
Reject '.'/'..' traversal segments in every template variable value, and
additionally percent-encode '/' in simple variables ({id}) so they cannot
span segments.

Known follow-ups (worth maintainer/security input): wildcard variable
values ({name=projects/*}) are not yet validated against their declared
pattern, so extra path segments (no traversal) can still be injected; and
backslash segments are only mitigated by percent-encoding.

Fixes envoyproxy#45931

Signed-off-by: David Vo <davidvo@lyft.com>
@repokitteh-read-only

Copy link
Copy Markdown

Hi @davidvo-lyft, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #46067 was opened by davidvo-lyft.

see: more, trace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Envoy mcp_json_rest_bridge filter injects unescaped path segments into the upstream request path (unauthenticated)

3 participants