Skip to content

Commit 430a0d8

Browse files
mkralik3jewertow
andauthored
samples: extauthz: do not return request body as a header when it exceeds 60KB (#49363) (#950)
* samples: do not return request body as a header to avoid 431 * Typo fixes --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com>
1 parent bf4f207 commit 430a0d8

File tree

1 file changed

+12
-3
lines changed
  • samples/extauthz/cmd/extauthz

1 file changed

+12
-3
lines changed

samples/extauthz/cmd/extauthz/main.go

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,7 @@ func (s *extAuthzServerV3) allow(request *authv3.CheckRequest) *authv3.CheckResp
187187
{
188188
Header: &corev3.HeaderValue{
189189
Key: receivedHeader,
190-
Value: request.GetAttributes().String(),
190+
Value: returnIfNotTooLong(request.GetAttributes().String()),
191191
},
192192
},
193193
{
@@ -220,7 +220,7 @@ func (s *extAuthzServerV3) deny(request *authv3.CheckRequest) *authv3.CheckRespo
220220
{
221221
Header: &corev3.HeaderValue{
222222
Key: receivedHeader,
223-
Value: request.GetAttributes().String(),
223+
Value: returnIfNotTooLong(request.GetAttributes().String()),
224224
},
225225
},
226226
{
@@ -262,7 +262,7 @@ func (s *ExtAuthzServer) ServeHTTP(response http.ResponseWriter, request *http.R
262262
if err != nil {
263263
log.Printf("[HTTP] read body failed: %v", err)
264264
}
265-
l := fmt.Sprintf("%s %s%s, headers: %v, body: [%s]\n", request.Method, request.Host, request.URL, request.Header, body)
265+
l := fmt.Sprintf("%s %s%s, headers: %v, body: [%s]\n", request.Method, request.Host, request.URL, request.Header, returnIfNotTooLong(string(body)))
266266
if allowedValue == request.Header.Get(checkHeader) {
267267
log.Printf("[HTTP][allowed]: %s", l)
268268
response.Header().Set(resultHeader, resultAllowed)
@@ -358,3 +358,12 @@ func main() {
358358
signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
359359
<-sigs
360360
}
361+
362+
func returnIfNotTooLong(body string) string {
363+
// Maximum size of a header accepted by Envoy is 60KiB, so when the request body is bigger than 60KB,
364+
// we don't return it in a response header to avoid rejecting it by Envoy and returning 431 to the client
365+
if len(body) > 60000 {
366+
return "<too-long>"
367+
}
368+
return body
369+
}

0 commit comments

Comments
 (0)