Skip to content

[release/v1.6] cherry-pick security patch for v1.6.2#7920

Merged
rudrakhp merged 2 commits intoenvoyproxy:release/v1.6from
rudrakhp:cherrypick-sp/v1.6.2
Jan 12, 2026
Merged

[release/v1.6] cherry-pick security patch for v1.6.2#7920
rudrakhp merged 2 commits intoenvoyproxy:release/v1.6from
rudrakhp:cherrypick-sp/v1.6.2

Conversation

@rudrakhp
Copy link
Copy Markdown
Member

@rudrakhp rudrakhp commented Jan 12, 2026

Ref: 6b0ffc2
@rudrakhp
Merge commit from fork
793cee6 
* Runs Lua `Strict` validation in the gateway along with a security hardening module. This module blocks dangerous Lua functionality that may lead to arbitrary code execution on the controller pods.
* Renamed `Syntax` to `InsecureSyntax` validation mode to signify that in this mode Lua won't be validated for possible security gaps. Won't be breaking as `Syntax` mode was not available for use yet. Added a similar warning to `Disabled` validation mode as well.
* Supports option to `disableLua` EnvoyExtensionPolicies feature in the gateway to eliminate arbitrary Lua execution as an attack surface.

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
@rudrakhp rudrakhp requested a review from a team as a code owner January 12, 2026 12:06
zirain
zirain previously approved these changes Jan 12, 2026
View reviewed changes
@codecov
Copy link
Copy Markdown

codecov bot commented Jan 12, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 63.63636% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.38%. Comparing base (57dd6ad) to head (4a02772).
⚠️ Report is 1 commits behind head on release/v1.6.

Files with missing lines Patch % Lines
internal/gatewayapi/runner/runner.go 0.00% 12 Missing ⚠️
internal/gatewayapi/envoyextensionpolicy.go 0.00% 1 Missing and 1 partial ⚠️
internal/gatewayapi/luavalidator/lua_validator.go 93.33% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@               Coverage Diff                @@
##           release/v1.6    #7920      +/-   ##
================================================
+ Coverage         72.35%   72.38%   +0.02%     
================================================
  Files               231      231              
  Lines             34161    34185      +24     
================================================
+ Hits              24717    24744      +27     
+ Misses             7666     7665       -1     
+ Partials           1778     1776       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
@rudrakhp
[release/v1.6] v1.6.2 release notes update (envoyproxy#7923)
4a02772 
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
@rudrakhp rudrakhp merged commit 27bf1cc into envoyproxy:release/v1.6 Jan 12, 2026
21 of 24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@rudrakhp @zirain