spiritxishi opened a new issue, #12147:
URL: https://github.com/apache/inlong/issues/12147

   ### Description
   
   Currently, Apache InLong Agent Installer's ModuleManager executes arbitrary 
shell commands via ExcuteLinux.exeCmd() with no filtering or whitelist 
validation. The commands originate from ModuleConfig objects (installCommand, 
startCommand, stopCommand, checkCommand, uninstallCommand) distributed by the 
Manager. 
   Combined with the bundled default credentials (admin/inlong) and the lack of 
a forced password change on first login, this enables remote code execution on 
every connected Agent host as soon as an attacker obtains the Manager admin 
account.
   
   Affected files:
   
   inlong-agent/agent-common/.../utils/ExcuteLinux.java — /bin/sh -c with no 
filtering
   inlong-agent/agent-installer/.../ModuleManager.java — all 5 command fields 
fed directly to exeCmd(); isModuleConfigValid() only null-checks
   inlong-manager/.../application.properties — default credentials admin/inlong 
with no forced password change
   inlong-manager/.../ModuleController.java — /api/module/save only requires 
INLONG_ADMIN role
   
   To fix this issue, it is necessary to add relevant validation and hardening:
   
   1、Replace /bin/sh -c with ProcessBuilder + argument array, add command 
character blacklist and length limit.
   2、Validate every ModuleConfig command field on the Agent side before 
execution; reject path-traversal in fileName/storagePath and non-http(s) 
download URLs.
   3、Force default-admin password rotation on first login.
   4、Add a digital signature to ConfigResult; Agent verifies with a configured 
public key before applying commands (defence-in-depth against a compromised 
Manager / MITM).
   5、Introduce a dedicated INLONG_MODULE_ADMIN role for /api/module/*; 
INLONG_ADMIN alone no longer suffices.
   
   
   ### InLong Component
   
   InLong Manager
   
   ### Are you willing to submit PR?
   
   - [x] Yes, I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to