Skip to content

Instantly share code, notes, and snippets.

@incfly

incfly/envoy-filter.yaml

Last active February 6, 2023 20:16
Show Gist options
  • Save incfly/d5f2ca622e35b65e6925be0a2783638a to your computer and use it in GitHub Desktop.
Save incfly/d5f2ca622e35b65e6925be0a2783638a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
envoy-filter.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: lua
spec:
workloadSelector:
labels:
app: httpbin
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
affected = false
header_name = ""
for key, val in pairs(request_handle:headers()) do
lower = string.lower(val)
if string.find(lower, "jndi") then
affected = true
header_name = key
break
end
if string.find(lower, "${${") or string.find(lower, "${j${") or string.find(lower, "${jn${") or string.find(lower, "${jnd${") or string.find(lower, "${jndi${") then then
affected = true
header_name = key
break
end
end
if affected then
request_handle:respond(
{[":status"] = "400 "},
"Bad Requests.")
end
end
Raw
log4j-detection.md

EnvoyFilter and Log4j CVE

  • Istio deployment & httpbin & sleep.
  • Apply envoyfilter as below.
  • Check requests and ensure they are denied as expected.

Pattern used in the config is found from https://github.com/avinetworks/datascript-library/blob/6740173e98e1ecfa72bdccc0650664d43d31e123/security/check_for_log4j_attacks.md

kex $(kpid sleep) -c sleep -- curl 'httpbin:8000/headers?foo=jndi'
kex $(kpid sleep) -c sleep -- curl 'httpbin:8000/ip' -H "Foo: Jndi"
kex $(kpid sleep) -c sleep -- curl 'httpbin:8000/ip'  -H 'bar: ${${'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment