Heimdall Identity Aware Proxy Envoy gRPC Decision API Query Path Bypass Vulnerability

A vulnerability in Heimdall, a cloud-native Identity Aware Proxy and Access Control Decision service, allows for the bypassing of access control rules under specific conditions. This issue arises in versions 0.7.0-alpha through 0.17.10 when Heimdall is used in Envoy gRPC decision API mode. The vulnerability is caused by incorrect encoding of the query URL string, which leads to non-wildcard path expressions being bypassed. Envoy splits the requested URL into parts and sends them individually to Heimdall. Although the query and path are part of the API, the query field is supposed to be empty, with the URL query included in the path field instead. The encoding issue means that a path like '/mypath?foo=bar' is transformed into '/mypath%3Ffoo=bar', causing rules that match '/mypath' to fail. This bypass can only result in unintended access if Heimdall is configured with an 'allow all' default rule, a setting that has been disabled by default since version 0.16.0.

Impact

Users of Heimdall with the Envoy gRPC API in versions 0.7.0-alpha through 0.17.10 may be affected, especially those who have an 'allow all' default rule, as this could allow attackers to circumvent specific block rules by adding query parameters.

Reproduction

The vulnerability can be reproduced using the example Docker Compose setup for Envoy gRPC. After starting the services, a request can be sent to an endpoint with a query parameter that should be blocked by a rule. The request will bypass the rule, demonstrating the vulnerability.

Remediation

Users can update to Heimdall version 0.17.11, which addresses the vulnerability by correcting the query path encoding issue.