Istio CVE-2020-8595

## check.sh
#!/bin/bash

set -eEo pipefail

trap clean_up EXIT SIGINT

dockerID=""
tmpDir=""

clean_up() {
	if [ "$dockerID" != "" ]; then
		docker rm -f $dockerID
	fi
	if [ "$tmpDir" != ""  ]; then
		popd
		rm -rf $tmpDir
	fi
}

scriptName=$(basename $0)

if [ "$#" -lt 1 ]; then
  cat <<EOF
Usage $scriptName <your-proxy-image-version>
$scriptName istio/proxyv2:1.4.3
EOF
exit 1
fi

proxyImage="$1"
tmpDir=$(mktemp -d "$PWD/cve-2020-8595.XXXXXX")

pushd $tmpDir

envoy_config=$(cat <<EOF
node:
  id: test
  metadata:
    "istio.io/metadata": {
      namespace: default,
      labels: { app: productpage },
    }
static_resources:
  listeners:
  - name: server
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 8091
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: ingress_http
          codec_type: auto
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: backend
          http_filters:
            - name: envoy.filters.http.jwt_authn
              typed_config:
                "@type": type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication
                providers:
                  origins-0:
                    issuer: testing@secure.istio.io
                    forward: true
                    payload_in_metadata: testing@secure.istio.io
                    local_jwks:
                      inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
                rules:
                - match:
                    prefix: "/"
                  requires:
                    allow_missing_or_failed: {}
            - name: istio_authn
              typed_config:
                "@type": type.googleapis.com/istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig
                policy:
                  origins:
                  - jwt:
                      issuer: testing@secure.istio.io
                      jwks_uri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json
                      trigger_rules:
                      - included_paths:
                        - exact: "/productpage"
                  principal_binding: USE_ORIGIN
                jwt_output_payload_locations:
                  testing@secure.istio.io: istio-sec-5406b7840708063f65cbdf52153ca364a476d68b
            - name: envoy.router
              config: {}
          access_log:
          - name: envoy.file_access_log
            config:
              path: "/dev/stdout"
              format: "server %RESPONSE_CODE% downstream:%DYNAMIC_METADATA(envoy.wasm.metadata_exchange.downstream:labels)% upstream:%DYNAMIC_METADATA(envoy.wasm.metadata_exchange.upstream:labels)%\n"
  - name: backend
    address:
      socket_address:
        address: 127.0.0.1
        port_value: 8099
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: ingress_http
          codec_type: auto
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                direct_response:
                  status: 200
                  body:
                    inline_string: "sample backend body\n"
          http_filters:
          - name: envoy.router
            config: {}
  clusters:
  - name: backend
    connect_timeout: 0.25s
    type: static
    lb_policy: round_robin
    hosts:
    - socket_address:
        address: 127.0.0.1
        port_value: 8099
    http2_protocol_options: {}
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 15000
EOF)

echo -e "$envoy_config" > envoy.yaml

dockerID=$(docker run -p 8091:8091 -d --rm -v `pwd`:`pwd` -w `pwd` --entrypoint "envoy" $proxyImage -c ./envoy.yaml)

echo "Sleeping for 5 seconds so the docker container is up and running"
sleep 5

RED='\033[0;31m'
GREEN='\033[0;32m'
ORANGE='\033[0;33m'
NC='\033[0m'
VULN="CVE-2020-8595"

curl -v localhost:8091/productpage? 2>&1 | grep "^..HTTP" |
(
while read OUTPUT
do
        case $OUTPUT in
                *200*)echo -e "[${VULN}] ${RED}Vulnerable${NC}"
                        ;;
                *401*)echo -e "[${VULN}] ${GREEN}Fix applied${NC}"
                        ;;
                *)echo -e "[${VULN}] ${RED}Can't verify${NC}"
                        ;;
        esac
done
)
	#!/bin/bash

	set -eEo pipefail

	trap clean_up EXIT SIGINT

	dockerID=""
	tmpDir=""

	clean_up() {
	if [ "$dockerID" != "" ]; then
	docker rm -f $dockerID
	fi
	if [ "$tmpDir" != "" ]; then
	popd
	rm -rf $tmpDir
	fi
	}

	scriptName=$(basename $0)

	if [ "$#" -lt 1 ]; then
	cat <<EOF
	Usage $scriptName <your-proxy-image-version>
	$scriptName istio/proxyv2:1.4.3
	EOF
	exit 1
	fi

	proxyImage="$1"
	tmpDir=$(mktemp -d "$PWD/cve-2020-8595.XXXXXX")

	pushd $tmpDir

	envoy_config=$(cat <<EOF
	node:
	id: test
	metadata:
	"istio.io/metadata": {
	namespace: default,
	labels: { app: productpage },
	}
	static_resources:
	listeners:
	- name: server
	address:
	socket_address:
	address: 0.0.0.0
	port_value: 8091
	filter_chains:
	- filters:
	- name: envoy.http_connection_manager
	config:
	stat_prefix: ingress_http
	codec_type: auto
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains:
	- "*"
	routes:
	- match:
	prefix: "/"
	route:
	cluster: backend
	http_filters:
	- name: envoy.filters.http.jwt_authn
	typed_config:
	"@type": type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication
	providers:
	origins-0:
	issuer: testing@secure.istio.io
	forward: true
	payload_in_metadata: testing@secure.istio.io
	local_jwks:
	inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
	rules:
	- match:
	prefix: "/"
	requires:
	allow_missing_or_failed: {}
	- name: istio_authn
	typed_config:
	"@type": type.googleapis.com/istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig
	policy:
	origins:
	- jwt:
	issuer: testing@secure.istio.io
	jwks_uri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json
	trigger_rules:
	- included_paths:
	- exact: "/productpage"
	principal_binding: USE_ORIGIN
	jwt_output_payload_locations:
	testing@secure.istio.io: istio-sec-5406b7840708063f65cbdf52153ca364a476d68b
	- name: envoy.router
	config: {}
	access_log:
	- name: envoy.file_access_log
	config:
	path: "/dev/stdout"
	format: "server %RESPONSE_CODE% downstream:%DYNAMIC_METADATA(envoy.wasm.metadata_exchange.downstream:labels)% upstream:%DYNAMIC_METADATA(envoy.wasm.metadata_exchange.upstream:labels)%\n"
	- name: backend
	address:
	socket_address:
	address: 127.0.0.1
	port_value: 8099
	filter_chains:
	- filters:
	- name: envoy.http_connection_manager
	config:
	stat_prefix: ingress_http
	codec_type: auto
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains:
	- "*"
	routes:
	- match:
	prefix: "/"
	direct_response:
	status: 200
	body:
	inline_string: "sample backend body\n"
	http_filters:
	- name: envoy.router
	config: {}
	clusters:
	- name: backend
	connect_timeout: 0.25s
	type: static
	lb_policy: round_robin
	hosts:
	- socket_address:
	address: 127.0.0.1
	port_value: 8099
	http2_protocol_options: {}
	admin:
	access_log_path: "/dev/null"
	address:
	socket_address:
	address: 0.0.0.0
	port_value: 15000
	EOF)

	echo -e "$envoy_config" > envoy.yaml

	dockerID=$(docker run -p 8091:8091 -d --rm -v `pwd`:`pwd` -w `pwd` --entrypoint "envoy" $proxyImage -c ./envoy.yaml)

	echo "Sleeping for 5 seconds so the docker container is up and running"
	sleep 5

	RED='\033[0;31m'
	GREEN='\033[0;32m'
	ORANGE='\033[0;33m'
	NC='\033[0m'
	VULN="CVE-2020-8595"

	curl -v localhost:8091/productpage? 2>&1 \| grep "^..HTTP" \|
	(
	while read OUTPUT
	do
	case $OUTPUT in
	200)echo -e "[${VULN}] ${RED}Vulnerable${NC}"
	;;
	401)echo -e "[${VULN}] ${GREEN}Fix applied${NC}"
	;;
	*)echo -e "[${VULN}] ${RED}Can't verify${NC}"
	;;
	esac
	done
	)