[release/v1.6] cherry-pick security patch for v1.6.2 (#7920)

* Merge commit from fork

* Runs Lua `Strict` validation in the gateway along with a security hardening module. This module blocks dangerous Lua functionality that may lead to arbitrary code execution on the controller pods.
* Renamed `Syntax` to `InsecureSyntax` validation mode to signify that in this mode Lua won't be validated for possible security gaps. Won't be breaking as `Syntax` mode was not available for use yet. Added a similar warning to `Disabled` validation mode as well.
* Supports option to `disableLua` EnvoyExtensionPolicies feature in the gateway to eliminate arbitrary Lua execution as an attack surface.

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* [release/v1.6] v1.6.2 release notes update (#7923)

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

---------

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

Author: rudrakhp

api/v1alpha1/envoygateway_types.go

@@ -251,6 +251,9 @@ type ExtensionAPISettings struct {
 	// EnableBackend enables Envoy Gateway to
 	// reconcile and implement the Backend resources.
 	EnableBackend bool `json:"enableBackend"`
+	// DisableLua determines if Lua EnvoyExtensionPolicies should be disabled.
+	// If set to true, the Lua EnvoyExtensionPolicy feature will be disabled.
+	DisableLua bool `json:"disableLua"`
 }
 
 // EnvoyGatewayProvider defines the desired configuration of a provider.

api/v1alpha1/envoyproxy_types.go

@@ -176,23 +176,29 @@ type EnvoyProxySpec struct {
 	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=Strict;Disabled
+// +kubebuilder:validation:Enum=Strict;InsecureSyntax;Disabled
 type LuaValidation string
 
 const (
 	// LuaValidationStrict is the default level and checks for issues during script execution.
-	// Recommended if your scripts only use the standard Envoy Lua stream handle API.
+	// Recommended if your scripts only use the standard Envoy Lua stream handle API and no external libraries.
 	// For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
+	// INFO: This validation mode executes Lua scripts from EnvoyExtensionPolicy (EEP) resources in the gateway controller.
+	// Since the Gateway controller watches EEPs across all namespaces (or namespaces matching the configured selector),
+	// unprivileged users can create EEPs in their namespaces and cause arbitrary Lua code to execute in the Gateway controller process.
+	// Security measures are in place to prevent unsafe Lua code from accessing critical system resources on the controller
+	// and fail validation, preventing the unsafe code from flowing to the data plane proxy.
 	LuaValidationStrict LuaValidation = "Strict"
 
-	// LuaValidationSyntax checks for syntax errors in the Lua script.
-	// Note that this is not a full runtime validation and does not check for issues during script execution.
-	// This is recommended if your scripts use external libraries that are not supported by Lua runtime validation.
-	LuaValidationSyntax LuaValidation = "Syntax"
+	// LuaValidationInsecureSyntax checks for Lua syntax errors only.
+	// Useful if your scripts use external libraries other than the standard Envoy Lua stream handle API.
+	// WARNING: This mode does NOT offer any runtime validations, so no security measures are applied to validate Lua code safety.
+	// Not recommended unless you completely trust all EnvoyExtensionPolicy resources.
+	LuaValidationInsecureSyntax LuaValidation = "InsecureSyntax"
 
-	// LuaValidationDisabled disables all validations of Lua scripts.
-	// Scripts will be accepted and executed without any validation checks.
-	// This is not recommended unless both runtime and syntax validations are failing unexpectedly.
+	// LuaValidationDisabled disables all Lua script validations.
+	// WARNING: This mode does NOT offer any runtime or syntax validations, so no security measures are applied to validate Lua code safety.
+	// Not recommended unless you completely trust all EnvoyExtensionPolicy resources.
 	LuaValidationDisabled LuaValidation = "Disabled"
 )
 

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -466,6 +466,7 @@ spec:
                   Default: Strict
                 enum:
                 - Strict
+                - InsecureSyntax
                 - Disabled
                 type: string
               mergeGateways:

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -465,6 +465,7 @@ spec:
                   Default: Strict
                 enum:
                 - Strict
+                - InsecureSyntax
                 - Disabled
                 type: string
               mergeGateways:

internal/gatewayapi/envoyextensionpolicy.go

@@ -645,6 +645,11 @@ func (t *Translator) buildLuas(policy *egv1a1.EnvoyExtensionPolicy, resources *r
 		return nil, nil
 	}
 
+	// If Lua EnvoyExtensionPolicies are disabled, skip building Lua filters.
+	if len(policy.Spec.Lua) > 0 && t.LuaEnvoyExtensionPolicyDisabled {
+		return nil, fmt.Errorf("Skipping Lua EnvoyExtensionPolicy as feature is disabled in the Gateway")
+	}
+
 	luaIRList := make([]ir.Lua, 0, len(policy.Spec.Lua))
 
 	for idx, ep := range policy.Spec.Lua {

internal/gatewayapi/luavalidator/lua_validator.go

@@ -6,9 +6,11 @@
 package luavalidator
 
 import (
+	"context"
 	_ "embed"
 	"fmt"
 	"strings"
+	"time"
 
 	lua "github.com/yuin/gopher-lua"
 
@@ -18,6 +20,7 @@ import (
 const (
 	envoyOnRequestFunctionName  = "envoy_on_request"
 	envoyOnResponseFunctionName = "envoy_on_response"
+	luaExecutionTimeout         = 5 * time.Second
 )
 
 // mockData contains mocks of Envoy supported APIs for Lua filters.
@@ -26,6 +29,14 @@ const (
 //go:embed mocks.lua
 var mockData string
 
+// securityData contains Lua security wrappers that restrict access to sensitive filesystem paths and
+// critical environment variables during Lua code validation in the gateway controller.
+//
+// TODO: Create a configurable set of filesystem paths and environment variables to check for in the proxy apart from default configured here.
+//
+//go:embed security.lua
+var securityData string
+
 // LuaValidator validates user provided Lua for compatibility with Envoy supported Lua HTTP filter
 // Validation strictness is controlled by the validation field
 type LuaValidator struct {
@@ -47,12 +58,12 @@ func (l *LuaValidator) Validate() error {
 		return fmt.Errorf("expected one of %s() or %s() to be defined", envoyOnRequestFunctionName, envoyOnResponseFunctionName)
 	}
 	if strings.Contains(l.code, envoyOnRequestFunctionName) {
-		if err := l.validate(mockData + "\n" + l.code + "\n" + envoyOnRequestFunctionName + "(StreamHandle)"); err != nil {
+		if err := l.validate(l.code + "\n" + envoyOnRequestFunctionName + "(StreamHandle)"); err != nil {
 			return fmt.Errorf("failed to validate with %s: %w", envoyOnRequestFunctionName, err)
 		}
 	}
 	if strings.Contains(l.code, envoyOnResponseFunctionName) {
-		if err := l.validate(mockData + "\n" + l.code + "\n" + envoyOnResponseFunctionName + "(StreamHandle)"); err != nil {
+		if err := l.validate(l.code + "\n" + envoyOnResponseFunctionName + "(StreamHandle)"); err != nil {
 			return fmt.Errorf("failed to validate with %s: %w", envoyOnResponseFunctionName, err)
 		}
 	}
@@ -62,7 +73,7 @@ func (l *LuaValidator) Validate() error {
 // validate runs the validation on given code
 func (l *LuaValidator) validate(code string) error {
 	switch l.getLuaValidation() {
-	case egv1a1.LuaValidationSyntax:
+	case egv1a1.LuaValidationInsecureSyntax:
 		return l.loadLua(code)
 	case egv1a1.LuaValidationDisabled:
 		return nil
@@ -79,22 +90,61 @@ func (l *LuaValidator) getLuaValidation() egv1a1.LuaValidation {
 	return egv1a1.LuaValidationStrict
 }
 
-// newLuaState creates a new Lua state with global settings applied
-func (l *LuaValidator) newLuaState() *lua.LState {
-	L := lua.NewState()
+// newLuaState creates a new Lua state with global settings and resource limits applied
+// Returns the Lua state and a cancel function that must be called when done
+func (l *LuaValidator) newLuaState() (*lua.LState, context.CancelFunc) {
+	// Configure Lua VM with resource limits to prevent DoS
+	L := lua.NewState(lua.Options{
+		CallStackSize:       256,   // Default call stack depth
+		RegistrySize:        5120,  // Default registry size (256 * 20)
+		RegistryMaxSize:     5120,  // Disable registry growth for security
+		RegistryGrowStep:    32,    // Default registry growth step (not used since max = initial)
+		SkipOpenLibs:        false, // We need standard libraries (filtered by security.lua)
+		IncludeGoStackTrace: false, // Don't leak Go stack traces to user errors
+	})
+
+	// Create context with timeout to prevent infinite loops or long-running code
+	ctx, cancel := context.WithTimeout(context.Background(), luaExecutionTimeout)
+	L.SetContext(ctx)
+
 	// Suppress all print statements
 	L.SetGlobal("print", L.NewFunction(func(L *lua.LState) int {
 		return 0
 	}))
-	return L
+	return L, cancel
 }
 
 // runLua interprets and runs the provided Lua code in runtime using gopher-lua
 // Refer: https://github.com/yuin/gopher-lua?tab=readme-ov-file#differences-between-lua-and-gopherlua
 func (l *LuaValidator) runLua(code string) error {
-	L := l.newLuaState()
+	L, cancel := l.newLuaState()
+	defer cancel()
 	defer L.Close()
-	if err := L.DoString(code); err != nil {
+
+	// Execute mocks first (trusted code, needs setmetatable, defines StreamHandle, etc.)
+	_ = L.DoString(mockData)
+	// Execute Lua security wrappers (trusted code) to protect the gateway controller
+	// See security advisory: https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
+	_ = L.DoString(securityData)
+
+	// Execute user-provided code with panic recovery to prevent controller crashes
+	// Although gopher-lua returns errors if it internally panics,
+	// this is a defensive measure to prevent the controller from crashing.
+	var err error
+	func() {
+		defer func() {
+			if r := recover(); r != nil {
+				err = fmt.Errorf("lua execution panic: %v", r)
+			}
+		}()
+		err = L.DoString(code)
+	}()
+
+	if err != nil {
+		// Check if timeout occurred
+		if L.Context().Err() == context.DeadlineExceeded {
+			return fmt.Errorf("lua execution timeout: code took longer than %v", luaExecutionTimeout)
+		}
 		return err
 	}
 	return nil
@@ -103,7 +153,8 @@ func (l *LuaValidator) runLua(code string) error {
 // loadLua loads the Lua code into the Lua state, does not run it
 // This is used to check for syntax errors in the Lua code
 func (l *LuaValidator) loadLua(code string) error {
-	L := l.newLuaState()
+	L, cancel := l.newLuaState()
+	defer cancel()
 	defer L.Close()
 	if _, err := L.LoadString(code); err != nil {
 		return err