opentelemetry-collector icon indicating copy to clipboard operation
opentelemetry-collector copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

warning for using localhost in security-best-practices

Open Sanket-0510 opened this issue 1 year ago • 5 comments

Description: <Describe what has changed.> warning and alert for using localhost which might go under DNS resolution and end up with an unexpected IP, risking security.

Link to tracking Issue: #9338

Documentation: Added Waring and risk alert in https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md

Sanket-0510 avatar Jan 31 '24 17:01 Sanket-0510

I think this should be under the 'Safeguards against denial of service attacks' section.

I also don't think we should word it as a warning and make it seem like localhost is the right option to use: it is the right option to use for many use cases, even if there may be use cases where it's not the right thing to do.

Instead, we should state that if localhost resolves to something other than 127.0.0.1/::1, you can use these explicitly isntead

will this be fine @mx-psi ?

If 'localhost' resolves to a different IP due to DNS then explicitly use these IPs instead:
IPv4: 127.0.0.1
IPv6: ::1
IPv6 Reminder:
In IPv6 setups, ensure your system supports both IPv4 and IPv6 loopback addresses to avoid issues.

Best Practice:
For clarity and safety, consider explicitly mentioning the IP (127.0.0.1) instead of relying solely on 'localhost,' especially in sensitive setups. Keep things consistent across different networks.

Sanket-0510 avatar Jan 31 '24 18:01 Sanket-0510

@mx-psi this is stale from last week, could you please review this PR.

Sanket-0510 avatar Feb 06 '24 14:02 Sanket-0510

@Sanket-0510 Apologies, I likely won't have time to review until the end of the week

mx-psi avatar Feb 06 '24 22:02 mx-psi

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 90.90%. Comparing base (f11c5bb) to head (5fac17a). Report is 70 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9444      +/-   ##
==========================================
+ Coverage   90.70%   90.90%   +0.20%     
==========================================
  Files         347      348       +1     
  Lines       18199    18382     +183     
==========================================
+ Hits        16507    16710     +203     
+ Misses       1369     1348      -21     
- Partials      323      324       +1

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Feb 06 '24 22:02 codecov[bot]

[...]

Best Practice: For clarity and safety, consider explicitly mentioning the IP (127.0.0.1) instead of relying solely on 'localhost,' especially in sensitive setups. Keep things consistent across different networks.

I disagree that this is a 'best practice': this is an edge case and we should document it as an edge case.

mx-psi avatar Feb 09 '24 15:02 mx-psi

This PR was marked stale due to lack of activity. It will be closed in 14 days.

github-actions[bot] avatar Mar 06 '24 03:03 github-actions[bot]

Thanks for bearing with me on this and apologies for the delay in replying (I went on vacation for a couple weeks :smile:). Let's go with this for now and see how people respond :)

No worries, I hope you had a great vacation 😊. Yes now this looks to the point and is short also. ✨✨

Sanket-0510 avatar Mar 06 '24 11:03 Sanket-0510