config: escape % signs in local reply format string (#5460)

Since v0.26, Pomerium configures Envoy to use a custom HTML error page
format string for most errors served by Envoy itself. This format string
uses %COMMAND% directives to include details about the error.

The HTML error page template also includes any branding options set via
the corresponding Enterprise settings. We need to ensure that any %
signs in the branding options strings are escaped to %% so that Envoy
will not interpret them as the start of a %COMMAND% directive, which
could lead to Envoy rejecting the format string as invalid.

config/envoyconfig/http_connection_manager.go

@@ -56,13 +56,19 @@ func (b *Builder) buildLocalReplyConfig(
 		headers = toEnvoyHeaders(options.GetSetResponseHeaders())
 	}
 
-	data := map[string]any{
-		"status":        "%RESPONSE_CODE%",
-		"statusText":    "%RESPONSE_CODE_DETAILS%",
-		"requestId":     "%STREAM_ID%",
-		"responseFlags": "%RESPONSE_FLAGS%",
-	}
+	data := make(map[string]any)
 	httputil.AddBrandingOptionsToMap(data, options.BrandingOptions)
+	for k, v := range data {
+		// Escape any % signs in the branding options data, as Envoy will
+		// interpret the page output as a substitution format string.
+		if s, ok := v.(string); ok {
+			data[k] = strings.ReplaceAll(s, "%", "%%")
+		}
+	}
+	data["status"] = "%RESPONSE_CODE%"
+	data["statusText"] = "%RESPONSE_CODE_DETAILS%"
+	data["requestId"] = "%STREAM_ID%"
+	data["responseFlags"] = "%RESPONSE_FLAGS%"
 
 	bs, err := ui.RenderPage("Error", "Error", data)
 	if err != nil {