From 2da07ee48b3d177ed8b6c3f92afc5e992935f38e Mon Sep 17 00:00:00 2001
From: asraa <asraa@google.com>
Date: Thu, 11 Feb 2021 23:25:51 -0500
Subject: [PATCH] [fuzz] remove network filters with low security posture
 (#14979)

Removes network filters whose security posture is unknown from fuzzing. This should be a requirement to change their posture, but for now it adds too much noise for unmaintained filters.

Risk Level: Low
Testing: n/a

Signed-off-by: Asra Ali <asraa@google.com>
---
 docs/generate_extension_db.py                 | 20 ++++++++++++++++
 .../common/fuzz/uber_per_readfilter.cc        | 24 ++++++++-----------
 2 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/docs/generate_extension_db.py b/docs/generate_extension_db.py
index 9eab52d3d6f3..f1cf8d8cd0d9 100755
--- a/docs/generate_extension_db.py
+++ b/docs/generate_extension_db.py
@@ -6,6 +6,7 @@
 import json
 import os
 import pathlib
+import re
 import shutil
 import subprocess
 import sys
@@ -33,6 +34,21 @@ def IsMissing(value):
   return value == '(missing)'
 
 
+def NumReadFiltersFuzzed():
+  data = pathlib.Path(
+      'test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc').read_text()
+  # Hack-ish! We only search the first 50 lines to capture the filters in filterNames().
+  return len(re.findall('NetworkFilterNames::get()', ''.join(data.splitlines()[:50])))
+
+
+def NumRobustToDownstreamNetworkFilters(db):
+  # Count number of network filters robust to untrusted downstreams.
+  return len([
+      ext for ext, data in db.items()
+      if 'network' in ext and data['security_posture'] == 'robust_to_untrusted_downstream'
+  ])
+
+
 def GetExtensionMetadata(target):
   if not BUILDOZER_PATH:
     raise ExtensionDbError('Buildozer not found!')
@@ -60,6 +76,10 @@ def GetExtensionMetadata(target):
   all_extensions.update(extensions_build_config.EXTENSIONS)
   for extension, target in all_extensions.items():
     extension_db[extension] = GetExtensionMetadata(target)
+  if NumRobustToDownstreamNetworkFilters(extension_db) != NumReadFiltersFuzzed():
+    raise ExtensionDbError('Check that all network filters robust against untrusted'
+                           'downstreams are fuzzed by adding them to filterNames() in'
+                           'test/extensions/filters/network/common/uber_per_readfilter.cc')
   # The TLS and generic upstream extensions are hard-coded into the build, so
   # not in source/extensions/extensions_build_config.bzl
   extension_db['envoy.transport_sockets.tls'] = GetExtensionMetadata(
diff --git a/test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc b/test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc
index be8d0628743f..ad6986c4c22e 100644
--- a/test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc
+++ b/test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc
@@ -18,27 +18,23 @@ namespace {
 static const int SecondsPerDay = 86400;
 } // namespace
 std::vector<absl::string_view> UberFilterFuzzer::filterNames() {
-  // These filters have already been covered by this fuzzer.
-  // Will extend to cover other network filters one by one.
+  // Add filters that are in the process of being or are robust against untrusted downstream
+  // traffic.
   static std::vector<absl::string_view> filter_names;
   if (filter_names.empty()) {
     const auto factories = Registry::FactoryRegistry<
         Server::Configuration::NamedNetworkFilterConfigFactory>::factories();
     const std::vector<absl::string_view> supported_filter_names = {
-        NetworkFilterNames::get().ExtAuthorization, NetworkFilterNames::get().LocalRateLimit,
-        NetworkFilterNames::get().RedisProxy, NetworkFilterNames::get().ClientSslAuth,
-        NetworkFilterNames::get().Echo, NetworkFilterNames::get().DirectResponse,
-        NetworkFilterNames::get().DubboProxy, NetworkFilterNames::get().SniCluster,
+        NetworkFilterNames::get().ClientSslAuth,
+        NetworkFilterNames::get().ExtAuthorization,
         // A dedicated http_connection_manager fuzzer can be found in
         // test/common/http/conn_manager_impl_fuzz_test.cc
-        NetworkFilterNames::get().HttpConnectionManager, NetworkFilterNames::get().ThriftProxy,
-        NetworkFilterNames::get().ZooKeeperProxy, NetworkFilterNames::get().SniDynamicForwardProxy,
-        NetworkFilterNames::get().KafkaBroker, NetworkFilterNames::get().RocketmqProxy,
-        NetworkFilterNames::get().RateLimit, NetworkFilterNames::get().Rbac,
-        NetworkFilterNames::get().MongoProxy, NetworkFilterNames::get().MySQLProxy
-        // TODO(jianwendong): add "NetworkFilterNames::get().Postgres" after it supports untrusted
-        // data.
-        // TODO(jianwendong): add fuzz test for "NetworkFilterNames::get().TcpProxy".
+        NetworkFilterNames::get().HttpConnectionManager,
+        NetworkFilterNames::get().LocalRateLimit,
+        NetworkFilterNames::get().RateLimit,
+        NetworkFilterNames::get().Rbac,
+        NetworkFilterNames::get().TcpProxy,
+
     };
     // Check whether each filter is loaded into Envoy.
     // Some customers build Envoy without some filters. When they run fuzzing, the use of a filter