Replace WEBrick because it is no longer recommended for production use

[sparrowt]

Describe the bug

Fluentd depends on webrick and uses it in quite a few places and thus although it's no longer included in ruby, it is required (e.g. the dockerfile installs ruby-webrick).

There have been a fair few CVEs reported for webrick in recent years, but more worrying is that in response to a recent security vulnerability report, one of the maintainers said "webrick is not for production".

If fluentd contines to rely on this, it feels risky (e.g. maybe future reports may not be patched so quickly / at all).

Perhaps it would be wise to migrate each usage away from webrick to a production-suitable replacement?

To Reproduce

Install fluentd - you will not be able to do this without also installing webrick.

Expected behavior

We should move away from production use of a package which the maintainers no longer recommend for production use.

Your Environment

- Fluentd version: all recent versions
- Package version: N/A
- Operating system: N/A
- Kernel version: N/A

Your Configuration

Any configuration.

Your Error Log

N/A

Additional context

No response

[daipom]

Thanks for your report. This is more likely enhancement request rather than bug report. I think we need more opinions and ideas.

[Athishpranav2003]

@daipom i saw this alternative https://github.com/socketry/falcon

Not sure if there are other alternatives, need to research more

[daipom]

@Athishpranav2003 Thanks! So, Falcon is an option for us!

Sorry, since I'm unfamiliar with these libraries and don't have much time this month, I cannot say for sure about the direction now.

[Athishpranav2003]

It's similar for me Maybe others active in Ruby community can give some comments on this @Watson1978 ?

[Watson1978]

Fluentd has been used async-http and webrick for http server in in_http and RPC. I think it would be better to integrate them into one library (async-http, falcon or another).

[dentarg]

The most popular Ruby web server is Puma: https://github.com/puma/puma

[Leodau]

Can we please get an update on this one?

https://security.snyk.io/vuln/SNYK-RUBY-WEBRICK-8068535

[Watson1978]

@Leodau Seems that the latest fluent-package LTS v5.0.5 contains webrick v1.8.2. https://github.com/fluent/fluent-package-builder/releases/tag/v5.0.5

[daipom]

Fluentd uses WEBrick for the following features mainly:

• RPC server
• http_server plugin helper (only when async is not installed, the feature is fallbacked to WEBrick)

We should remove the fallback feature of http_server plugin helper. It was made for supporting environments whose Ruby version < 2.3.

• #2447

For the RPC server, we should consider using http_server plugin helper.

[daipom]

Remaining:

• RPC server
• in_http (WEBrick::HTTPUtils)

I have no idea how to replace multipart/form-data handling in in_http.

https://github.com/fluent/fluentd/blob/46372ddd521870f6a203baefb5a598209486d0bc/lib/fluent/plugin/in_http.rb#L539-L541

It may not be important to avoid using WEBrick::HTTPUtils since it is just utils.

[kenhys]

If the remaining issues could be also fixed in a timely for v1.19, it is okay to merge https://github.com/fluent/fluentd/pull/4900 .

[daipom]

If the remaining issues could be also fixed in a timely for v1.19, it is okay to merge #4900 .

Remaining issues except for #4900:

• RPC server
• in_http: multipart/form-data

[daipom]

#4900 is merged.

Remaining:

* RPC server
* `in_http`: `multipart/form-data`

[Leodau]

Awesome thanks!