Skip to content

proto_api_scrubber: return 404 instead of 403 for blocked methods. #42885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wbpcode merged 2 commits into from
Jan 7, 2026
Merged

proto_api_scrubber: return 404 instead of 403 for blocked methods. #42885

wbpcode merged 2 commits into from
Jan 7, 2026

Conversation

@sumitkmr2
Copy link
Contributor

@sumitkmr2 sumitkmr2 commented Jan 7, 2026
edited
Loading

Description: Return 404 instead of 403 for blocked methods

Additional Description:
This change updates the proto_api_scrubber filter to return 404 Not Found (gRPC status 5 NOT_FOUND) instead of 403 Forbidden (gRPC status 7 PERMISSION_DENIED) when a request is rejected due to a method-level blocking rule.

Security Motivation:
The primary driver for this change is to prevent potential attackers from enumerating valid endpoints. By returning 403, the server explicitly signals that the method exists but the client is not authorized to access it. Switching to 404 ensures that clients cannot distinguish between a method that does not exist and a method that they are blocked from accessing. This reduces information leakage regarding the API surface area.

Changes:

  • Updated proto_api_scrubber/filter.cc to reject requests with Status::NotFound when a method-level match occurs.
  • Updated proto_api_scrubber_test/filter_test.cc unit tests to verify the new status code and local reply string.
  • Updated proto_api_scrubber_test/integration_test.cc to verify the end-to-end behavior returns gRPC status 5.

Risk Level:
Low (Behavior change for blocked requests).

Testing:

  • Verified via updated unit tests (MethodLevelRestrictionTest).
  • Verified via updated integration tests (RejectsBlockedMethod).

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Jan 7, 2026

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #42885 was opened by sumitkmr2.

see: more, trace.

@sumitkmr2 sumitkmr2 changed the title return 404 instead of 403 for blocked methods proto_api_scrubber: return 404 instead of 403 for blocked methods. Jan 7, 2026
@sumitkmr2 sumitkmr2 marked this pull request as ready for review January 7, 2026 09:34
@sumitkmr2 sumitkmr2 requested a review from adisuissa as a code owner January 7, 2026 09:34
@sumitkmr2
Update changelog
229917b 
Signed-off-by: Sumit Kumar <[email protected]>
@wbpcode wbpcode merged commit e1e7552 into envoyproxy:main Jan 7, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbpcode wbpcode wbpcode approved these changes

@adisuissa adisuissa Awaiting requested review from adisuissa adisuissa is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sumitkmr2 @wbpcode