[api] Fix header validations

api/bazel/repository_locations.bzl

@@ -4,8 +4,8 @@ BAZEL_SKYLIB_SHA256 = "1dde365491125a3db70731e25658dfdd3bc5dbdfd11b840b3e987ecf0
 OPENCENSUS_PROTO_GIT_SHA = "be218fb6bd674af7519b1850cdf8410d8cbd48e8"  # Dec 20, 2019
 OPENCENSUS_PROTO_SHA256 = "e3bbdc94375e86c0edfb2fc5851507e08a3f26ee725ffff7c5c0e73264bdfcde"
 
-PGV_GIT_SHA = "61843aea0c3ca81fe7a558caf75fa36789a6d16e"  # Feb 14, 2020
-PGV_SHA256 = "0cdadf1bf786fcd05944831bd23bfcdb15c7c8940405c476696c9560fb039e26"
+PGV_GIT_SHA = "ab56c3dd1cf9b516b62c5087e1ec1471bd63631e"  # Mar 11, 2020
+PGV_SHA256 = "3be12077affd1ebf8787001f5fba545cc5f1b914964dab4e0cc77c43fba03b41"
 
 GOOGLEAPIS_GIT_SHA = "82944da21578a53b74e547774cf62ed31a05b841"  # Dec 2, 2019
 GOOGLEAPIS_SHA = "a45019af4d3290f02eaeb1ce10990166978c807cb33a9692141a076ba46d1405"

api/envoy/api/v2/core/base.proto

@@ -235,17 +235,18 @@ message RuntimeFeatureFlag {
 // Header name/value pair.
 message HeaderValue {
   // Header name.
-  string key = 1 [
-    (validate.rules).string = {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME}
-  ];
+  string key = 1
+      [(validate.rules).string =
+           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Header value.
   //
   // The same :ref:`format specifier <config_access_log_format>` as used for
   // :ref:`HTTP access logging <config_access_log>` applies here, however
   // unknown header values are replaced with the empty string instead of `-`.
-  string value = 2
-      [(validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE}];
+  string value = 2 [
+    (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}
+  ];
 }
 
 // Header name/value pair plus option to control append behavior.

api/envoy/api/v2/route.proto

@@ -43,8 +43,9 @@ message RouteConfiguration {
   // will consider to be internal only. If they are found on external requests they will be cleaned
   // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
   // information.
-  repeated string internal_only_headers = 3
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string internal_only_headers = 3 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
 
   // Specifies a list of HTTP headers that should be added to each response that
   // the connection manager encodes. Headers specified at this level are applied
@@ -57,8 +58,9 @@ message RouteConfiguration {
 
   // Specifies a list of HTTP headers that should be removed from each response
   // that the connection manager encodes.
-  repeated string response_headers_to_remove = 5
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string response_headers_to_remove = 5 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
 
   // Specifies a list of HTTP headers that should be added to each request
   // routed by the HTTP connection manager. Headers specified at this level are
@@ -71,8 +73,9 @@ message RouteConfiguration {
 
   // Specifies a list of HTTP headers that should be removed from each request
   // routed by the HTTP connection manager.
-  repeated string request_headers_to_remove = 8
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string request_headers_to_remove = 8 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
 
   // By default, headers that should be added/removed are evaluated from most to least specific:
   //

api/envoy/api/v2/route/route_components.proto

@@ -73,7 +73,7 @@ message VirtualHost {
   // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE.
   repeated string domains = 2 [(validate.rules).repeated = {
     min_items: 1
-    items {string {well_known_regex: HTTP_HEADER_VALUE}}
+    items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}}
   }];
 
   // The list of routes that will be matched, in order, for incoming requests.
@@ -602,8 +602,9 @@ message RouteAction {
     message Header {
       // The name of the request header that will be used to obtain the hash
       // key. If the request header is not present, no hash will be produced.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];
     }
 
     // Envoy supports two types of cookie affinity:
@@ -706,7 +707,8 @@ message RouteAction {
     // The case-insensitive name of this upgrade, e.g. "websocket".
     // For each upgrade type present in upgrade_configs, requests with
     // Upgrade: [upgrade_type] will be proxied upstream.
-    string upgrade_type = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}];
+    string upgrade_type = 1
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
     // Determines if upgrades are available on this route. Defaults to true.
     google.protobuf.BoolValue enabled = 2;
@@ -731,7 +733,7 @@ message RouteAction {
     //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
     //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
     string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
@@ -1323,8 +1325,9 @@ message RateLimit {
       // The header name to be queried from the request headers. The header’s
       // value is used to populate the value of the descriptor entry for the
       // descriptor_key.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];
 
       // The key to use in the descriptor entry.
       string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
@@ -1445,7 +1448,8 @@ message HeaderMatcher {
   reserved 2, 3;
 
   // Specifies the name of the header in the request.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+  string name = 1
+      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Specifies how the header match will be performed to route the request.
   oneof header_match_specifier {

api/envoy/config/core/v3/base.proto

@@ -250,17 +250,18 @@ message HeaderValue {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue";
 
   // Header name.
-  string key = 1 [
-    (validate.rules).string = {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME}
-  ];
+  string key = 1
+      [(validate.rules).string =
+           {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Header value.
   //
   // The same :ref:`format specifier <config_access_log_format>` as used for
   // :ref:`HTTP access logging <config_access_log>` applies here, however
   // unknown header values are replaced with the empty string instead of `-`.
-  string value = 2
-      [(validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE}];
+  string value = 2 [
+    (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}
+  ];
 }
 
 // Header name/value pair plus option to control append behavior.

api/envoy/config/route/v3/route.proto

@@ -45,8 +45,9 @@ message RouteConfiguration {
   // will consider to be internal only. If they are found on external requests they will be cleaned
   // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more
   // information.
-  repeated string internal_only_headers = 3
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string internal_only_headers = 3 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
 
   // Specifies a list of HTTP headers that should be added to each response that
   // the connection manager encodes. Headers specified at this level are applied
@@ -59,8 +60,9 @@ message RouteConfiguration {
 
   // Specifies a list of HTTP headers that should be removed from each response
   // that the connection manager encodes.
-  repeated string response_headers_to_remove = 5
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string response_headers_to_remove = 5 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
 
   // Specifies a list of HTTP headers that should be added to each request
   // routed by the HTTP connection manager. Headers specified at this level are
@@ -73,8 +75,9 @@ message RouteConfiguration {
 
   // Specifies a list of HTTP headers that should be removed from each request
   // routed by the HTTP connection manager.
-  repeated string request_headers_to_remove = 8
-      [(validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME}}}];
+  repeated string request_headers_to_remove = 8 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
 
   // By default, headers that should be added/removed are evaluated from most to least specific:
   //

api/envoy/config/route/v3/route_components.proto

@@ -77,7 +77,7 @@ message VirtualHost {
   // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE.
   repeated string domains = 2 [(validate.rules).repeated = {
     min_items: 1
-    items {string {well_known_regex: HTTP_HEADER_VALUE}}
+    items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}}
   }];
 
   // The list of routes that will be matched, in order, for incoming requests.
@@ -561,8 +561,9 @@ message RouteAction {
 
       // The name of the request header that will be used to obtain the hash
       // key. If the request header is not present, no hash will be produced.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];
     }
 
     // Envoy supports two types of cookie affinity:
@@ -680,7 +681,8 @@ message RouteAction {
     // The case-insensitive name of this upgrade, e.g. "websocket".
     // For each upgrade type present in upgrade_configs, requests with
     // Upgrade: [upgrade_type] will be proxied upstream.
-    string upgrade_type = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}];
+    string upgrade_type = 1
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
     // Determines if upgrades are available on this route. Defaults to true.
     google.protobuf.BoolValue enabled = 2;
@@ -707,7 +709,7 @@ message RouteAction {
     //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
     //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
     string cluster_header = 2
-        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
@@ -1308,8 +1310,9 @@ message RateLimit {
       // The header name to be queried from the request headers. The header’s
       // value is used to populate the value of the descriptor entry for the
       // descriptor_key.
-      string header_name = 1
-          [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+      string header_name = 1 [
+        (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}
+      ];
 
       // The key to use in the descriptor entry.
       string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
@@ -1442,7 +1445,8 @@ message HeaderMatcher {
   reserved "regex_match";
 
   // Specifies the name of the header in the request.
-  string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+  string name = 1
+      [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
   // Specifies how the header match will be performed to route the request.
   oneof header_match_specifier {

api/envoy/type/tracing/v2/custom_tag.proto

@@ -35,7 +35,8 @@ message CustomTag {
   // Header type custom tag with header name and default value.
   message Header {
     // Header name to obtain the value to populate the tag value.
-    string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+    string name = 1
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     // When the header does not exist,
     // the tag value will be populated with this default value if specified,

api/envoy/type/tracing/v3/custom_tag.proto

@@ -48,7 +48,8 @@ message CustomTag {
         "envoy.type.tracing.v2.CustomTag.Header";
 
     // Header name to obtain the value to populate the tag value.
-    string name = 1 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME}];
+    string name = 1
+        [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
 
     // When the header does not exist,
     // the tag value will be populated with this default value if specified,