config: escape % signs in local reply format string (#5460)

Since v0.26, Pomerium configures Envoy to use a custom HTML error page format string for most errors served by Envoy itself. This format string uses %COMMAND% directives to include details about the error. The HTML error page template also includes any branding options set via the corresponding Enterprise settings. We need to ensure that any % signs in the branding options strings are escaped to %% so that Envoy will not interpret them as the start of a %COMMAND% directive, which could lead to Envoy rejecting the format string as invalid.
2025-04-29 10:26:29 +02:00 · 2025-02-03 14:31:06 -08:00 · 2025-02-03 14:31:06 -08:00 · efe3cef2e4
commit efe3cef2e4
parent 34c25442ff
2 changed files with 76 additions and 6 deletions
--- a/config/envoyconfig/http_connection_manager.go
+++ b/config/envoyconfig/http_connection_manager.go
@ -56,13 +56,19 @@ func (b *Builder) buildLocalReplyConfig(
 		headers = toEnvoyHeaders(options.GetSetResponseHeaders())
 	}

-	data := map[string]any{
-		"status":        "%RESPONSE_CODE%",
-		"statusText":    "%RESPONSE_CODE_DETAILS%",
-		"requestId":     "%STREAM_ID%",
-		"responseFlags": "%RESPONSE_FLAGS%",
-	}
+	data := make(map[string]any)
 	httputil.AddBrandingOptionsToMap(data, options.BrandingOptions)
+	for k, v := range data {
+		// Escape any % signs in the branding options data, as Envoy will
+		// interpret the page output as a substitution format string.
+		if s, ok := v.(string); ok {
+			data[k] = strings.ReplaceAll(s, "%", "%%")
+		}
+	}
+	data["status"] = "%RESPONSE_CODE%"
+	data["statusText"] = "%RESPONSE_CODE_DETAILS%"
+	data["requestId"] = "%STREAM_ID%"
+	data["responseFlags"] = "%RESPONSE_FLAGS%"

 	bs, err := ui.RenderPage("Error", "Error", data)
 	if err != nil {
--- a/config/envoyconfig/http_connection_manager_test.go
+++ b/config/envoyconfig/http_connection_manager_test.go
@ -0,0 +1,64 @@
+package envoyconfig
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+
+	"github.com/pomerium/pomerium/config"
+	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
+)
+
+func Test_buildLocalReplyConfig(t *testing.T) {
+	b := Builder{}
+	opts := config.NewDefaultOptions()
+	opts.BrandingOptions = &configpb.Settings{
+		LogoUrl:                    proto.String("http://example.com/my%20branding%20logo.png"),
+		ErrorMessageFirstParagraph: proto.String("It's 100% broken."),
+	}
+	lrc, err := b.buildLocalReplyConfig(opts)
+	require.NoError(t, err)
+	tmpl := string(lrc.Mappers[0].GetBodyFormatOverride().GetTextFormatSource().GetInlineBytes())
+	assert.Equal(t, `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <link id="favicon" rel="shortcut icon" href="/.pomerium/favicon.ico?v=2" />
+    <link
+      class="pomerium_favicon"
+      rel="apple-touch-icon"
+      sizes="180x180"
+      href="/.pomerium/apple-touch-icon.png"
+    />
+    <link
+      class="pomerium_favicon"
+      rel="icon"
+      sizes="32x32"
+      href="/.pomerium/favicon-32x32.png"
+    />
+    <link
+      class="pomerium_favicon"
+      rel="icon"
+      sizes="16x16"
+      href="/.pomerium/favicon-16x16.png"
+    />
+    <meta
+      name="viewport"
+      content="width=device-width, initial-scale=1, shrink-to-fit=no"
+    />
+    <title>Error</title>
+    <link rel="stylesheet" href="/.pomerium/index.css" />
+  </head>
+  <body>
+    <noscript>You need to enable JavaScript to run this app.</noscript>
+    <div id="root"></div>
+    <script>
+      window.POMERIUM_DATA = {"errorMessageFirstParagraph":"It's 100%% broken.","logoUrl":"http://example.com/my%%20branding%%20logo.png","page":"Error","requestId":"%STREAM_ID%","responseFlags":"%RESPONSE_FLAGS%","status":"%RESPONSE_CODE%","statusText":"%RESPONSE_CODE_DETAILS%"};
+    </script>
+    <script src="/.pomerium/index.js"></script>
+  </body>
+</html>
+`, tmpl)
+}