GHSA-wcrf-9vrr-854f
Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure
Details
### Impact
The `to_absolute_normalized_path` function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, `//etc/passwd` is equivalent to `/etc/passwd` (POSIX path semantics), but `is_critical_path` fails to match the double-slash variant because `//etc/passwd` does not start with `/etc/`.
This allows Lua code submitted as an `EnvoyExtensionPolicy` to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:
* `/etc/passwd` * Kubernetes SA tokens via `//var/run/secrets/kubernetes.io/serviceaccount/token` * TLS certificates via `//certs/...` * Process environment via `//proc/self/environ`
These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.
### Patches
This has been patched in versions >= v1.7.4 and v1.8.1
- Collapse redundant path separators (`//` to `/`) so double-slash variants like `//etc/passwd` and `//var/run/secrets/...` are matched by the critical-path check. - Rewrite the traversal check to reject any `.` or `..` segment in any position and across both separator styles (catches `/etc/./passwd`, `./etc/passwd`, `/etc/.`).
### Workarounds Please refer to the `Warning` section in [Lua docs](https://gateway.envoyproxy.io/v1.8/tasks/extensibility/lua/) for measures to reduce risk.
### Credits
Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
1.8.0-rc.0 Fixed in: 1.8.1 go get github.com/envoyproxy/gateway@v1.8.1 0 Fixed in: 1.7.4 go get github.com/envoyproxy/gateway@v1.7.4