Skip to content

Commit 302df23

Browse files
tigrannajaryantigrannajaryan
authored
Add external process execution guidelines (open-telemetry#4652)
The guidelines are necessary to explain how we want to generally approach external process execution. This was recently brought up in open-telemetry/opentelemetry-collector-contrib#6512 If we accept these guidelines the following should happen: - The prometheusexecreceiver should be modified to allow only a hard-coded list of exporters. - The fluentbitextension should be either removed or significantly limited in terms of what locations and what executable file names it can allow. - open-telemetry/opentelemetry-collector-contrib#6512 will be rejected, possibly substituted by a plugin system that @zenmoto referred to in open-telemetry/opentelemetry-collector-contrib#6512 (comment) if we find useful to have such plugin system.
1 parent 1621c2e commit 302df23

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

CONTRIBUTING.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -260,6 +260,24 @@ the event happens.
260260
Make log message human readable and also include data that is needed for easier
261261
understanding of what happened and in what context.
262262

263+
### Executing External Processes
264+
265+
The components should avoid executing arbitrary external processes with arbitrary command
266+
line arguments based on user input, including input received from the network or input
267+
read from the configuration file. Failure to follow this rule can result in arbitrary
268+
remote code execution, compelled by malicious actors that can craft the input.
269+
270+
The following limitations are recommended:
271+
- If an external process needs to be executed limit and hard-code the location where
272+
the executable file may be located, instead of allowing the input to dictate the
273+
full path to the executable.
274+
- If possible limit the name of the executable file to be one from a hard-coded
275+
list defined at compile time.
276+
- If command line arguments need to be passed to the process do not take the arguments
277+
from the user input directly. Instead, compose the command line arguments indirectly,
278+
if necessary, deriving the value from the user input. Limit as much as possible the
279+
possible space of values for command line arguments.
280+
263281
### Observability
264282

265283
Out of the box, your users should be able to observe the state of your component.

0 commit comments

Comments
 (0)