Removed exception in getResponseStatus()

[zasweq]

Signed-off-by: Zach Reyes zasweq@google.com

Commit Message: Removed exception in getResponseStatus().
Additional Description: Falls within #10878. getResponseStatus() is called on the data plane in the codecs. Thus, for security reasons changed from throw Exception -> Release Assert for the function calls in codebase. For HTTP/2 codec's, changed decodeHeaders() to return a status rather than exception, which logically amounts to the same logic after the try catch around dispatch.
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A

[yanavlasov]

I think it is possible that it could throw exception and exception and not crash when processing upstream response. The exception would have been caught by the dispatch() method of the client connection. Do we have an integration test where upstream responds with a garbage status?

[asraa]

Thanks!

[yanavlasov]

Please add tests like ProtocolIntegrationTest.UnknownResponsecode but with status strings that are not a number or overflowing uint64_t to cover the new RELEASE_ASSERT

[zasweq]

Yan, just to officially document this, that test crashes on the release assert on this code change, and when I run that integration test against master, it also crashes. Hopefully it's caused by the mocks.

[yanavlasov]

Yan, just to officially document this, that test crashes on the release assert on this code change, and when I run that integration test against master, it also crashes. Hopefully it's caused by the mocks.

Yes, it is crashing in the codec used for faking the upstream server. We'll discuss tomorrow how to proceed.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[yanavlasov]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[yanavlasov]

When this method is only called from the ConnectionImpl::ClientStreamImpl::decodeHeaders(). Given that the H/2 codec verifies validity of the Status header, the only case where this can fail is if the Status header is missing altogether.
I think we should just move the check for Status header presence into the ConnectionImpl::ClientStreamImpl::decodeHeaders() and here just ASSERT success of the absl::SimpleAtoi with the comment that invalid Status values should not get past response parsing in codec.

[zasweq]

Interesting. I liked how this got rid of exceptions, but your suggestion is a much cleaner way to remove the exceptions. Take the two things in the if and move one thing (simpleAtoi() call) to an assert and another (status presence) to codebase. However, I do believe the codecs already account for missing status headers similarly to overflowing status, so why even add a check there? @asraa what are your thoughts

[zasweq]

Quickly glanced around codebase, couldn't seem to find a missing status integration test? If not there (perhaps ctrl f in GitHub missed it :)) I can add one!

[zasweq]

Out of my own interest I wrote an http2 frame method for header frames without statuses breaking the HTTP/2 requirement and wrote an integration test for it. I got "[2020-10-22 05:28:34.375][31][trace][http2] [source/common/http/http2/codec_impl.cc:715] [C2] about to recv frame type=1, flags=5
[2020-10-22 05:28:34.375][31][debug][http2] [source/common/http/http2/codec_impl.cc:890] [C2] invalid frame: Violation in HTTP messaging rule on stream 1". Thus, this is similar to overflowing statuses. Let me know if you want me to check that test in too, because it would potentially hit this line and if the codec didn't validate status presence which is what the test checked for.

[zasweq]

Hey Yan, I discussed this with Asra in our standup. Asra wants to keep it consistent, and is indifferent to whether we ASSERT or have a check, however wants to keep it consistent, and not an assert on atoi and a check for headers, because that would be unneeded complexity by splitting them.

[yanavlasov]

Ok, I understand. I think given that we also verify that missing status from the response headers is rejected, I think we could either ENVOY_BUG or RELEASE_ASSERT that status header is present.

[zasweq]

So release assert on both conditions in the utility function?

[zasweq]

"Both" meaning missing status and overflowed status

[zasweq]

Hey - so just to make sure - what you want is to keep the function as is, but instead of throwing up an exception with the if clause, wrap those two booleans (headers present, atoi call okay) in a RELASE_ASSERT. Basically, since we have validated that across both codecs the codecs handle it, we can move it.

[zasweq]

"Keep the function as is" meaning what is currently checked into master for getResponseStatus? Both utility function and not having my error handling in codecs.

[yanavlasov]

Is there a case where this function can fail parsing the Status header now that there are tests that verify that invalid Status header is rejected by both H/1 and H/2 codecs?

[zasweq]

No, but you don't think it's worth removing exceptions (removing meaning converting to error earlier instead of in try catch block) for any future iterations, considering if we keep the exception then it'll still be there in the long run, even though currently not triggerable?

[yanavlasov]

I think it is totally worth removing this exception. We have proven with the test that the code does the right thing and does not accept responses with invalid Status header. Given this I think we should just assert that the parsing of the status number was successful. I think we could use ENVOY_BUG or event RELEASE_ASSERT here, given that we have solid test.

[zasweq]

Hey Yan, I've been thinking about this some, and I think that the problem is that getResponseStatus() is called all around the codebase, and the problem is that if we make it an assert rather than an exception for other parts of the codebase, it would introduce a point of failure out of nothing? Let me know what you're thinking :)

[asraa]

To make sure I'm understanding the whole picture, because I am confused reading the threads:

• In decodeHeaders() we won't trigger an exception because we know per spec (presence and 3 digits) https://tools.ietf.org/html/rfc7540#section-8.1.2.4, H/2 parser would reject. So I think we can rely on the parser. I think we should RELEASE_ASSERT/ASSERT. I think ASSERT is okay because of the added tests. ENVOY_BUG would be okay as long as we can continue to proceed, but because we have tests, I don't know if it's worth it. The only way to mess it up would be to update/change nghttp2, which would be detected in tests before the change.
• In encodeHeaders(), we won't trigger the exception with bad upstream traffic because the codecs have verified valid 3-digit status. I think we should add in protection as a later TODO in case filters misbehave Gracefully handle removal of critical headers by filters #13756

[yanavlasov]

Sorry about the confusion. I was thinking more about this case. It is a bit of a mess.
This error handling was put in place to handle the case of an encoder filter removing or setting invalid ":status" header. It "worked" for the old codecs that used exceptions, since filter's chain was invoked under the dispatch context and this CodecClientException would have been caught in the CodecClient::onData method. It would have caused the stack unwind in the codec's C code which is bad.
In the new exception free codec this exception will cause process termination, since there is no catch any more.
I suppose it is better to leave the exception there (instead of ASSERT or RELEASE_ASSERT), since if someone happens to run buggy filter that removes ":status" they can revert to the old codec and avoid the crash. So i think the current state of this PR is the best.
I think the exception in the getResponseStatus() can only be removed after issue #13756 is fixed. And we should fix it before the old codec is removed completely.

[yanavlasov]

Faulty filters will be handled in PR #13470 after which the exception can be removed.
I suggest to just wait for the PR #13470 to land and then replace the exception with the RELEASE_ASSERT with appropriate comments. Do you think you have time to do it? Or would you rather just commit tests and then the exception removal would be completed by someone else?

[zasweq]

Hey Yan, thanks for taking a look at this. Weirdly, I forgot to check in the utility source file where I switched it to an ASSERT. Perhaps we can just check in the tests for now, since switching to an ASSERT at a later time would be a one line change :).