Skip to content

Commit

Permalink
Add external process execution guidelines (open-telemetry#4652)
Browse files Browse the repository at this point in the history 
The guidelines are necessary to explain how we want to generally approach external process execution. This was recently brought up in open-telemetry/opentelemetry-collector-contrib#6512

If we accept these guidelines the following should happen:
- The prometheusexecreceiver should be modified to allow only a hard-coded list of exporters.
- The fluentbitextension should be either removed or significantly
  limited in terms of what locations and what executable file names it can allow.
- open-telemetry/opentelemetry-collector-contrib#6512
  will be rejected, possibly substituted by a plugin system that @zenmoto
  referred to in open-telemetry/opentelemetry-collector-contrib#6512 (comment)
  if we find useful to have such plugin system.
  • Loading branch information
@tigrannajaryan
tigrannajaryan authored Jan 18, 2022
1 parent 1621c2e commit 302df23
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,24 @@ the event happens.
Make log message human readable and also include data that is needed for easier
understanding of what happened and in what context.

### Executing External Processes

The components should avoid executing arbitrary external processes with arbitrary command
line arguments based on user input, including input received from the network or input
read from the configuration file. Failure to follow this rule can result in arbitrary
remote code execution, compelled by malicious actors that can craft the input.

The following limitations are recommended:
- If an external process needs to be executed limit and hard-code the location where
the executable file may be located, instead of allowing the input to dictate the
full path to the executable.
- If possible limit the name of the executable file to be one from a hard-coded
list defined at compile time.
- If command line arguments need to be passed to the process do not take the arguments
from the user input directly. Instead, compose the command line arguments indirectly,
if necessary, deriving the value from the user input. Limit as much as possible the
possible space of values for command line arguments.

### Observability

Out of the box, your users should be able to observe the state of your component.
Expand Down

0 comments on commit 302df23

Please sign in to comment.