Summary
JWT filter will lead to an Envoy crash when clear route cache with remote JWKs.
Details and PoC
Fix an issue in JWT filter in the following case:
- remote JWKs are used, which requires async header processing;
clear_route_cache is enabled on the provider;- header operations are enabled in JWT filter, e.g. header to claims feature;
- the routing table is configured in a way that the JWT header operations modify requests to not match any route.
When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route().
The root cause is the ordering of continueDecoding and clearRouteCache.
When the above conditions are met, the following incorrect sequence occurs:
- JWT filter pauses and then continues header decoding.
- router filter picks a route and starts the upstream request.
- JWT filter clears the route cache.
- upstream request gets pool ready notifications and checks the route again for a setting, but the route is now missing.
Impact
Envoy crashes when JWT filter is used
Reporter
Andreas Moregård ([email protected])
botengyao Coordinator
kyessenov Remediation developer
phlax Coordinator
yanavlasov Remediation reviewer
Summary
JWT filter will lead to an Envoy crash when clear route cache with remote JWKs.
Details and PoC
Fix an issue in JWT filter in the following case:
clear_route_cacheis enabled on the provider;When these conditions are met, a crash is triggered in the upstream code due to
nullptrreference conversion fromroute().The root cause is the ordering of
continueDecodingandclearRouteCache.When the above conditions are met, the following incorrect sequence occurs:
Impact
Envoy crashes when JWT filter is used
Reporter
Andreas Moregård ([email protected])