Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[config{grpc,http}] Add warning when using unspecified address #6267

Merged
merged 11 commits into from
Oct 25, 2022
Merged

[config{grpc,http}] Add warning when using unspecified address #6267

merged 11 commits into from
Oct 25, 2022

Conversation

mx-psi
Copy link
Member

@mx-psi mx-psi commented Oct 10, 2022

Description:

Add warning when using 0.0.0.0 address on an HTTP or gRPC server.

Link to tracking Issue: Fixes #6151

@mx-psi mx-psi requested review from a team and codeboten October 10, 2022 11:35
@mx-psi mx-psi marked this pull request as draft October 10, 2022 13:37
@mx-psi mx-psi marked this pull request as ready for review October 10, 2022 16:17
@codecov
Copy link

codecov bot commented Oct 11, 2022
edited
Loading

Codecov Report

Base: 92.06% // Head: 91.76% // Decreases project coverage by -0.30% ⚠️

Coverage data is based on head (385cb84) compared to base (ee02bc7).
Patch coverage: 87.50% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6267      +/-   ##
==========================================
- Coverage   92.06%   91.76%   -0.30%     
==========================================
  Files         219      236      +17     
  Lines       13242    13476     +234     
==========================================
+ Hits        12191    12366     +175     
- Misses        828      880      +52     
- Partials      223      230       +7
Impacted Files Coverage Δ
config/configgrpc/configgrpc.go 91.58% <50.00%> (-1.20%) ⬇️
config/confighttp/confighttp.go 98.12% <100.00%> (-1.88%) ⬇️
config/internal/warning.go 100.00% <100.00%> (ø)
pdata/plog/pb.go 71.42% <0.00%> (-28.58%) ⬇️
pdata/ptrace/pb.go 71.42% <0.00%> (-28.58%) ⬇️
pdata/pmetric/pb.go 71.42% <0.00%> (-28.58%) ⬇️
pdata/ptrace/json.go 53.33% <0.00%> (-26.67%) ⬇️
pdata/pmetric/json.go 53.33% <0.00%> (-26.67%) ⬇️
pdata/plog/json.go 73.33% <0.00%> (-26.67%) ⬇️
exporter/loggingexporter/factory.go 88.88% <0.00%> (-11.12%) ⬇️
... and 36 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

codeboten
codeboten reviewed Oct 17, 2022
View reviewed changes
Copy link
Contributor

@codeboten codeboten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing, just a suggestion to fix the (now broken) links

config/configgrpc/configgrpc.go Outdated Show resolved Hide resolved
config/confighttp/confighttp.go Outdated Show resolved Hide resolved
@codeboten codeboten closed this Oct 19, 2022
@codeboten codeboten reopened this Oct 19, 2022
bogdandrutu
bogdandrutu reviewed Oct 22, 2022
View reviewed changes
config/configgrpc/configgrpc.go Outdated Show resolved Hide resolved
config/confighttp/confighttp.go Outdated Show resolved Hide resolved
config/confighttp/confighttp.go Outdated Show resolved Hide resolved
bogdandrutu
bogdandrutu approved these changes Oct 24, 2022
View reviewed changes
config/configgrpc/configgrpc.go Outdated
Comment on lines 279 to 291
case "tcp", "tcp4", "tcp6", "udp", "udp4", "udp6":
host, _, err := net.SplitHostPort(gss.NetAddr.Endpoint)
if err != nil {
return nil, fmt.Errorf("failed to parse endpoint: %w", err)
}

if ip := net.ParseIP(host); ip != nil && ip.IsUnspecified() {
settings.Logger.Warn(
"Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks",
zap.String(
"documentation",
"https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks",
),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last comment, I promise :))

Can we actually have a Validate() error on confignet.NetAddr and confignet.TCPAddr. That way you can share this code.

Copy link
Member

@bogdandrutu bogdandrutu Oct 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard probably to have the warning about "0.0.0.0" (since the Validate will not have access to the logger) but that can be duplicate or a standalone helper in the confignet package.

Even better the helper can be in config/internal

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created a WarnOnUnspecifiedHost helper on config/internal. Does that look good?

@bogdandrutu bogdandrutu merged commit 396964d into open-telemetry:main Oct 25, 2022
codeboten pushed a commit to codeboten/opentelemetry-collector that referenced this pull request Oct 25, 2022
Revert "[config{grpc,http}] Add warning when using unspecified address (
f64d4ab 
open-telemetry#6267)"

This reverts commit 396964d.
@codeboten codeboten mentioned this pull request Oct 25, 2022
Closed
codeboten pushed a commit that referenced this pull request Oct 25, 2022
Revert "[config{grpc,http}] Add warning when using unspecified address (
36d142f 
#6267)" (#6405)

This reverts commit 396964d.
@mx-psi mx-psi mentioned this pull request Oct 27, 2022
Merged
mx-psi added a commit to mx-psi/opentelemetry-collector that referenced this pull request Oct 27, 2022
@mx-psi
[config{grpc,http}] Add warning when using unspecified address (open-…
1c71dd2 
…telemetry#6267)

* [config/config{grpc,http}] Add warning when using a 0.0.0.0 endpoint

* Add warning when using unspecified address

* Add changelog entry

* Fix tests

* Fix HTTP tests

* Apply suggestions from code review

Co-authored-by: Alex Boten <[email protected]>

* Use IsUnspecified method

* no else after return

* Move shared code to internal

Co-authored-by: Alex Boten <[email protected]>
(cherry picked from commit 396964d)
codeboten added a commit that referenced this pull request Nov 3, 2022
@mx-psi @codeboten
[unrevert][config{grpc,http}] Add warning when using unspecified addr…
ae0f846 
…ess (#6421)

Unrevert #6267 and make it so that we never error out.

Co-authored-by: Alex Boten <[email protected]>
@mx-psi mx-psi mentioned this pull request Apr 26, 2023
Merged
@mx-psi mx-psi mentioned this pull request Jul 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeboten codeboten codeboten approved these changes

@bogdandrutu bogdandrutu bogdandrutu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[receiver/otlp] CWE-1327 in OTLP receiver
3 participants
@mx-psi @codeboten @bogdandrutu