From dbf0a0f6c0d604ae90845b941582a0b6f75678cb Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Mon, 6 May 2019 12:09:59 -0400
Subject: [PATCH] Copy the proxy config instead of direct assignment (#5786)

This prevents modifying the data in the state store which is supposed to be immutable.
---
 agent/consul/config_endpoint.go      | 7 ++++++-
 agent/consul/config_endpoint_test.go | 7 +++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/agent/consul/config_endpoint.go b/agent/consul/config_endpoint.go
index cbf474087d..9d10547456 100644
--- a/agent/consul/config_endpoint.go
+++ b/agent/consul/config_endpoint.go
@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/consul/agent/consul/state"
 	"github.com/hashicorp/consul/agent/structs"
 	memdb "github.com/hashicorp/go-memdb"
+	"github.com/mitchellh/copystructure"
 )
 
 // The ConfigEntry endpoint is used to query centralized config information
@@ -257,7 +258,11 @@ func (c *ConfigEntry) ResolveServiceConfig(args *structs.ServiceConfigRequest, r
 					return fmt.Errorf("invalid proxy config type %T", proxyEntry)
 				}
 				// Apply the proxy defaults to the sidecar's proxy config
-				reply.ProxyConfig = proxyConf.Config
+				mapCopy, err := copystructure.Copy(proxyConf.Config)
+				if err != nil {
+					return fmt.Errorf("failed to copy global proxy-defaults: %v", err)
+				}
+				reply.ProxyConfig = mapCopy.(map[string]interface{})
 			}
 
 			reply.Index = index
diff --git a/agent/consul/config_endpoint_test.go b/agent/consul/config_endpoint_test.go
index 44b00660f3..23e0d01f94 100644
--- a/agent/consul/config_endpoint_test.go
+++ b/agent/consul/config_endpoint_test.go
@@ -695,6 +695,13 @@ func TestConfigEntry_ResolveServiceConfig(t *testing.T) {
 		QueryMeta: out.QueryMeta,
 	}
 	require.Equal(expected, out)
+
+	_, entry, err := s1.fsm.State().ConfigEntry(nil, structs.ProxyDefaults, structs.ProxyConfigGlobal)
+	require.NoError(err)
+	require.NotNil(entry)
+	proxyConf, ok := entry.(*structs.ProxyConfigEntry)
+	require.True(ok)
+	require.Equal(map[string]interface{}{"foo": 1}, proxyConf.Config)
 }
 
 func TestConfigEntry_ResolveServiceConfigNoConfig(t *testing.T) {