apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: log4j-exploit-sanitizer
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.lua
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
          inline_code: |
            function envoy_on_request(request_handle)
              for key, value in pairs(request_handle:headers()) do
                if (string.match(tostring(value), "%$") or string.match(tostring(value),"%%24")) then
                   request_handle:respond({[":status"] = "403"}, "Invalid request"..string.char(10))
                   break
                end
              end
            end
  workloadSelector:
    labels:
      app: yelb-exploit