Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[receiver/awsfirehose]: Fix access key validation #34847

Merged
merged 2 commits into from
Aug 27, 2024
Merged

[receiver/awsfirehose]: Fix access key validation #34847

merged 2 commits into from
Aug 27, 2024

Conversation

Aneurysm9
Copy link
Member

@Aneurysm9 Aneurysm9 commented Aug 26, 2024
edited by arminru
Loading

Description: The awsfirehosereceiver can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it still accepts incoming requests with no key.

Link to tracking Issue: Advisory

Testing: Tested via reproduction script provided by reporter.

Fixes: GHSA-prf6-xjxh-p698

@Aneurysm9 Aneurysm9 requested review from a team and crobert-1 August 26, 2024 16:19
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Aug 26, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: Aneurysm9 / name: Anthony Mirabella (27d4c5f)
  • ✅ login: DouglasHeriot / name: Douglas Heriot (78df2a9)

@Aneurysm9
Add changelog entry
27d4c5f 
Signed-off-by: Anthony J Mirabella <a9@aneurysm9.com>
@crobert-1
Copy link
Member

@DouglasHeriot: Can you please sign the CLA? We won't be able to merge this PR until all commit authors have signed it.

@DouglasHeriot
Copy link
Contributor

Done, we’ve got a Corporate CLA already signed.

@codeboten codeboten merged commit 371bf6a into open-telemetry:main Aug 27, 2024
156 checks passed
@github-actions github-actions bot added this to the next release milestone Aug 27, 2024
@Aneurysm9 Aneurysm9 deleted the advisory-fix-1 branch August 27, 2024 14:55
@GoVulnBot GoVulnBot mentioned this pull request Aug 28, 2024
Closed
f7o pushed a commit to f7o/opentelemetry-collector-contrib that referenced this pull request Sep 12, 2024
@Aneurysm9 @DouglasHeriot @f7o
[receiver/awsfirehose]: Fix access key validation (open-telemetry#34847)
c52be30 
**Description:** The `awsfirehosereceiver` can be configured to receive
CloudWatch metrics via an AWS Firehose Stream. [Firehose sets the
header](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html)
`X-Amz-Firehose-Access-Key` with an arbitrary configured string. The
OpenTelemetry Collector awsfirehosereceiver can optionally be configured
to require this key on incoming requests. However, when this is
configured it still accepts incoming requests with no key.

**Link to tracking Issue:**
[Advisory](GHSA-prf6-xjxh-p698)

**Testing:** Tested via reproduction script provided by reporter.

---------

Signed-off-by: Anthony J Mirabella <a9@aneurysm9.com>
Co-authored-by: Douglas Heriot <dheriot@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crobert-1 crobert-1 crobert-1 approved these changes

@codeboten codeboten codeboten approved these changes

Assignees

@atoulme atoulme

Labels
receiver/awsfirehose
Projects
None yet
Milestone
v0.108.0
Development

Successfully merging this pull request may close these issues.
5 participants
@Aneurysm9 @crobert-1 @DouglasHeriot @codeboten @atoulme