incfly/envoy-filter.yaml

## envoy-filter.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: lua
spec:
  workloadSelector:
    labels:
      app: httpbin
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              affected = false
              header_name = ""
              for key, val in pairs(request_handle:headers()) do
                lower = string.lower(val)
                if string.find(lower, "jndi") then
                  affected = true
                  header_name = key
                  break
                end
                if string.find(lower, "${${") or string.find(lower, "${j${") or string.find(lower, "${jn${") or string.find(lower, "${jnd${") or string.find(lower, "${jndi${") then then
                  affected = true
                  header_name = key
                  break
                end
              end
              if affected then
                request_handle:respond(
                  {[":status"] = "400 "},
                  "Bad Requests.")
              end
            end

## log4j-detection.md

      
    Raw
  

              log4j-detection.md
            
          
    EnvoyFilter and Log4j CVE


Istio deployment & httpbin & sleep.
Apply envoyfilter as below.
Check requests and ensure they are denied as expected.

Pattern used in the config is found from https://github.com/avinetworks/datascript-library/blob/6740173e98e1ecfa72bdccc0650664d43d31e123/security/check_for_log4j_attacks.md
kex $(kpid sleep) -c sleep -- curl 'httpbin:8000/headers?foo=jndi'
kex $(kpid sleep) -c sleep -- curl 'httpbin:8000/ip' -H "Foo: Jndi"
kex $(kpid sleep) -c sleep -- curl 'httpbin:8000/ip'  -H 'bar: ${${'
	apiVersion: networking.istio.io/v1alpha3
	kind: EnvoyFilter
	metadata:
	name: lua
	spec:
	workloadSelector:
	labels:
	app: httpbin
	configPatches:
	- applyTo: HTTP_FILTER
	match:
	context: SIDECAR_INBOUND
	listener:
	filterChain:
	filter:
	name: "envoy.filters.network.http_connection_manager"
	subFilter:
	name: "envoy.filters.http.router"
	patch:
	operation: INSERT_BEFORE
	value: # lua filter specification
	name: envoy.lua
	typed_config:
	"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
	inlineCode: \|
	function envoy_on_request(request_handle)
	affected = false
	header_name = ""
	for key, val in pairs(request_handle:headers()) do
	lower = string.lower(val)
	if string.find(lower, "jndi") then
	affected = true
	header_name = key
	break
	end
	if string.find(lower, "${${") or string.find(lower, "${j${") or string.find(lower, "${jn${") or string.find(lower, "${jnd${") or string.find(lower, "${jndi${") then then
	affected = true
	header_name = key
	break
	end
	end
	if affected then
	request_handle:respond(
	{[":status"] = "400 "},
	"Bad Requests.")
	end
	end