Skip to content

header_mutation: fix the uri query encoding#43502

Merged
botengyao merged 3 commits intoenvoyproxy:mainfrom
botengyao:header_mutation_bug
Feb 18, 2026
Merged

header_mutation: fix the uri query encoding#43502
botengyao merged 3 commits intoenvoyproxy:mainfrom
botengyao:header_mutation_bug

Conversation

@botengyao
Copy link
Member

@botengyao botengyao commented Feb 15, 2026

Fixed a issue where query parameter values added via query_parameter_mutations were not URL-encoded, allowing query parameter injection attacks. Values from formatters like %REQ(header)% are now properly URL-encoded when added to the query string. This behavior is controlled by the runtime guard envoy.reloadable_features.header_mutation_url_encode_query_params.

Commit Message:
Additional Description:
Risk Level: low
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

@botengyao
fix the queary paramters
35d47b0 
Signed-off-by: Boteng Yao <boteng@google.com>
@botengyao
change changelogs
b894035 
Signed-off-by: Boteng Yao <boteng@google.com>
@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Feb 15, 2026

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #43502 was opened by botengyao.

see: more, trace.

agrawroh
agrawroh previously approved these changes Feb 16, 2026
View reviewed changes
Copy link
Member

@agrawroh agrawroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks @botengyao!

@botengyao
Merge remote-tracking branch 'upstream/main' into header_mutation_bug
f8f4f1e 
Signed-off-by: Boteng Yao <boteng@google.com>
@botengyao botengyao merged commit be601de into envoyproxy:main Feb 18, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agrawroh agrawroh agrawroh approved these changes

@wbpcode wbpcode Awaiting requested review from wbpcode wbpcode is a code owner

@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov is a code owner

Assignees

@wbpcode wbpcode

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@botengyao @agrawroh @wbpcode