spiritxishi opened a new issue, #12147: URL: https://github.com/apache/inlong/issues/12147
### Description Currently, Apache InLong Agent Installer's ModuleManager executes arbitrary shell commands via ExcuteLinux.exeCmd() with no filtering or whitelist validation. The commands originate from ModuleConfig objects (installCommand, startCommand, stopCommand, checkCommand, uninstallCommand) distributed by the Manager. Combined with the bundled default credentials (admin/inlong) and the lack of a forced password change on first login, this enables remote code execution on every connected Agent host as soon as an attacker obtains the Manager admin account. Affected files: inlong-agent/agent-common/.../utils/ExcuteLinux.java — /bin/sh -c with no filtering inlong-agent/agent-installer/.../ModuleManager.java — all 5 command fields fed directly to exeCmd(); isModuleConfigValid() only null-checks inlong-manager/.../application.properties — default credentials admin/inlong with no forced password change inlong-manager/.../ModuleController.java — /api/module/save only requires INLONG_ADMIN role To fix this issue, it is necessary to add relevant validation and hardening: 1、Replace /bin/sh -c with ProcessBuilder + argument array, add command character blacklist and length limit. 2、Validate every ModuleConfig command field on the Agent side before execution; reject path-traversal in fileName/storagePath and non-http(s) download URLs. 3、Force default-admin password rotation on first login. 4、Add a digital signature to ConfigResult; Agent verifies with a configured public key before applying commands (defence-in-depth against a compromised Manager / MITM). 5、Introduce a dedicated INLONG_MODULE_ADMIN role for /api/module/*; INLONG_ADMIN alone no longer suffices. ### InLong Component InLong Manager ### Are you willing to submit PR? - [x] Yes, I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
