fluent-vulnerability_checker 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: cd7c2d2cbbef103a4de79835df5be2bde07be9fb280d7358488400be08ddce39
+  data.tar.gz: 104bfc90898a715a10723349b8049b7ac57e9221370d7d67258666d2b11f3b69
+SHA512:
+  metadata.gz: 010a075d2bf357418f6d2dc7390dd082ef137c80914bb53a6d54c159458609466e10dd6051eb25b8e6fa9b361e120e88e1783f249ecce0ad56164e69ba947741
+  data.tar.gz: 14d93635f7c948b18826be70c30a6955a9ed6be8f68e11e7b77e58065ce055b92ba67032f228695c13e4bf4d6d4d525321202d7cc83a9cb28577ebce0388f287

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'monthly'

data/.github/workflows/linux.yml

@@ -0,0 +1,38 @@
+name: Testing on Ubuntu
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 1 * *'
+jobs:
+  ruby-versions:
+    uses: ruby/actions/.github/workflows/ruby_versions.yml@master
+    with:
+      engine: cruby
+      min_version: 2.7
+  build:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        exclude:
+          - ruby: head
+        os:
+          - ubuntu-latest
+    name: Ruby ${{ matrix.ruby }} unit testing on ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: ruby/setup-ruby@6ca151fd1bfcfd6fe0c4eb6837eb0584d0134a0c # v1.290.0
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        rubygems: latest
+    - name: unit testing
+      env:
+        CI: true
+      run: |
+        bundle install --jobs 4 --retry 3
+        bundle exec rake test

data/.github/workflows/windows.yml

@@ -0,0 +1,38 @@
+name: Testing on Windows
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 1 * *'
+jobs:
+  ruby-versions:
+    uses: ruby/actions/.github/workflows/ruby_versions.yml@master
+    with:
+      engine: cruby
+      min_version: 2.7
+  build:
+    needs: ruby-versions
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
+        exclude:
+          - ruby: head
+        os:
+          - windows-latest
+    name: Ruby ${{ matrix.ruby }} unit testing on ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: ruby/setup-ruby@6ca151fd1bfcfd6fe0c4eb6837eb0584d0134a0c # v1.290.0
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        rubygems: latest
+    - name: unit testing
+      env:
+        CI: true
+      run: |
+        bundle install --jobs 4 --retry 3
+        bundle exec rake test

data/.rubocop.yml

@@ -0,0 +1,18 @@
+AllCops:
+  # td-agent 4 or later
+  TargetRubyVersion: 2.7
+  NewCops: enable
+
+Gemspec:
+  Enabled: true
+Layout:
+  Enabled: false
+Lint:
+  Enabled: false
+Metrics:
+  Enabled: false
+Security:
+  Enabled: true
+Style:
+  Enabled: false
+

data/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,65 @@
+# fluent-vulnerability_checker
+
+A static analysis tool that detects known security risks in Fluentd configuration files and provides actionable remediation advice.
+
+Fluentdの設定ファイルを解析し、既知の脆弱性につながる危険な設定を検知するセキュリティ監査ツールです。
+
+## Features
+Detects configurations leading to the following vulnerabilities:
+
+* CVE-2026-44024 [Remote Code Execution (RCE)](https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3)
+* CVE-2026-44161 [Server-Side Request Forgery (SSRF)](https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr)
+* CVE-2026-44160 [Denial of Service (DoS)](https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7)
+* CVE-2026-44025 [Exposure of Sensitive Information](https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h)
+
+## Installation
+Install the gem by executing:
+
+```bash
+fluent-gem install fluent-vulnerability_checker
+```
+
+## Usage
+Run the `fluent-vulnerabilitycheck` command and pass the path to your Fluentd configuration file using the `-c` or `--config` option.
+
+```bash
+$ fluent-vulnerabilitycheck -c /path/to/your/fluentd.conf
+```
+
+If no path is provided, it defaults to Fluentd's standard configuration path (`/etc/fluent/fluent.conf`).
+
+## Example Output
+When a vulnerable configuration is detected, the tool provides a detailed report:
+
+```
+# Exposure of Sensitive Information via Monitor Agent API
+* Severity:   High
+* CVSS Score: 7.5
+* Location:   <source> - @type monitor_agent
+* State:      bind = '0.0.0.0'.
+              (Note: In Fluentd 1.19.2 and earlier, the default value of bind is 0.0.0.0.)
+* Description:
+  * EN: monitor_agent is exposed externally, allowing attackers to read Fluentd configuration details via its API.
+  * JA: monitor_agentによって公開されているAPIを悪用して、Fluentdの設定内容を読み取られる危険性があります。
+* Workaround:
+  * EN: If you cannot immediately update the package, apply mitigations such as restricting access,
+        or allowing access only from localhost.
+  * JA: すぐにパッケージを更新できない場合、アクセスの制限、ローカルホストからのみのアクセスを受け付けるなどの
+        緩和策を適用してください。
+===================================================================================================================
+```
+
+## Support & Enterprise Services
+If you need professional assistance for safe migration, or comprehensive Fluentd support,
+please contact the ClearCode Fluentd support.
+
+安全な移行計画の策定や包括的なサポートが必要な場合は、クリアコードのFluentdサポートまでご相談ください。
+ご相談にはFluentdコアメンテナが対応いたします。
+
+* [ClearCode Fluentd Support (Japanese)](https://www.clear-code.com/services/fluentd-service.html)
+
+## Copyright
+
+* Copyright 2026 ClearCode Inc.
+* License
+  * Apache License, Version 2.0

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
+
+task default: :test

data/exe/fluent-vulnerabilitycheck

@@ -0,0 +1,50 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "fluent/vulnerability_checker.rb"
+require "optparse"
+
+config_path = Fluent::DEFAULT_CONFIG_PATH
+
+op = OptionParser.new
+op.on('-c', '--config PATH', "config file path (default: #{Fluent::DEFAULT_CONFIG_PATH})") { |s|
+  config_path = s
+}
+
+begin
+  op.parse!(ARGV)
+  checker = Fluent::VulnerabilityChecker.new
+  checker.validate(config_path)
+  if checker.vulnerabilities == 0
+    puts "No vulnerabilities detected."
+    puts "脆弱性は検知されませんでした。"
+  end
+
+rescue OptionParser::InvalidOption
+  puts op.help
+  exit 1
+rescue Errno::ENOENT
+  puts "Not found configuration file: #{config_path}"
+  puts ""
+  puts op.help
+  exit 1
+rescue => e
+  puts e.message
+end
+
+puts ""
+puts "-" * 115
+puts <<~"MSG"
+  [Support & Enterprise Services]
+  If you need professional assistance for safe migration, or comprehensive Fluentd support,
+  please contact the ClearCode Fluentd support.
+
+  安全な移行計画の策定や包括的なサポートが必要な場合は、クリアコードのFluentdサポートまでご相談ください。
+  ご相談にはFluentdコアメンテナが対応いたします。
+
+  https://www.clear-code.com/services/fluentd-service.html
+MSG
+puts "-" * 115
+
+exit checker.vulnerabilities > 0 ? 1 : 0

data/lib/fluent/vulnerability_checker.rb

@@ -0,0 +1,240 @@
+# frozen_string_literal: true
+
+require 'fluent/config'
+require 'fluent/env'
+
+module Fluent
+  class VulnerabilityChecker
+    CHUNK_ID_PLACEHOLDER_PATTERN = /\$\{chunk_id\}/
+    PLACEHOLDER_PATTERN = /\$\{.*?\}/
+
+    class Rule
+      def initialize(plugin_categories, plugin_name = nil, &condition_proc)
+        @plugin_categories = Array(plugin_categories)
+        @plugin_name = plugin_name
+        @condition_proc = condition_proc
+      end
+
+      def register_report_message(&report_proc)
+        @report_proc = report_proc
+        self
+      end
+
+      def report(element)
+        @report_proc&.call(element)
+      end
+
+      def safe?(element)
+        if @plugin_categories.include?(element.name) && @plugin_name == element['@type']
+          !@condition_proc.call(element)
+        else
+          true
+        end
+      end
+    end
+
+    attr_reader :vulnerabilities # for test
+
+    def initialize
+      @vulnerabilities = 0
+      @rules = []
+
+      # Fluentd: RCE via ${tag} in file in output/buffer/secondary/store sections
+      @rules << Rule.new(['match', 'buffer', 'secondary', 'store'], 'file') { |element|
+        # replace the safe ${chunk_id} with an empty string to clear it, and check if the remaining string contains ${...}
+        element['path']&.gsub(CHUNK_ID_PLACEHOLDER_PATTERN, '')&.match?(PLACEHOLDER_PATTERN)
+      }.register_report_message do |element|
+        <<~"MSG"
+          # Remote Code Execution (RCE) via Arbitrary File Write in Dynamic Placeholder
+          * Severity:   Critical
+          * CVSS Score: 10.0
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * State:      path = '#{element['path']}'
+          * Description:
+            * EN: If the ${tag} placeholder is used in the path parameter of the file output plugin, there is a risk that
+                  an attacker could write files to arbitrary paths, potentially leading to RCE.
+            * JA: pathでプレースホルダーにtagを指定している場合、設定ファイルの書き方や実行権限が不適切だと、任意のパスに
+                  ファイルを書き込まれ、リモートからコード実行可能になる危険があります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access,
+                  running with non-root privileges, modifying the configuration file, or removing untrusted tags.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、非root権限での実行、設定ファイルの修正、信頼できない
+                  tagを除去するなどの緩和策を適用してください。
+        MSG
+      end
+
+      # Fluentd: RCE via ${tag} in secondary_file
+      @rules << Rule.new('secondary', 'secondary_file') { |element|
+        # replace the safe ${chunk_id} with an empty string to clear it, and check if the remaining string contains ${...}
+        element['directory']&.gsub(CHUNK_ID_PLACEHOLDER_PATTERN, '')&.match?(PLACEHOLDER_PATTERN) ||
+          element['basename']&.gsub(CHUNK_ID_PLACEHOLDER_PATTERN, '')&.match?(PLACEHOLDER_PATTERN)
+      }.register_report_message do |element|
+        state_msg = ['directory', 'basename'].map { |k| "#{k} = '#{element[k]}'" if element[k]&.match?(PLACEHOLDER_PATTERN) }.compact.join(', ')
+        <<~"MSG"
+          # Remote Code Execution (RCE) via Arbitrary File Write in Dynamic Placeholder
+          * Severity:   Critical
+          * CVSS Score: 10.0
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * State:      #{state_msg}
+          * Description:
+            * EN: If the ${tag} placeholder is used in the directory or basename parameter of the secondary_file plugin, 
+                  there is a risk that an attacker could write files to arbitrary paths, potentially leading to RCE.
+            * JA: directoryまたはbasenameでプレースホルダーにtagを指定している場合、設定ファイルの書き方や実行権限が不適切だと、任意のパスに
+                  ファイルを書き込まれ、リモートからコード実行可能になる危険があります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access,
+                  running with non-root privileges, modifying the configuration file, or removing untrusted tags.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、非root権限での実行、設定ファイルの修正、信頼できない
+                  tagを除去するなどの緩和策を適用してください。
+        MSG
+      end
+
+      # Fluentd: Exposure of Sensitive Information
+      @rules << Rule.new('source', 'monitor_agent') { |element| element['bind'].nil? || element['bind'] == '0.0.0.0' }.register_report_message do |element|
+        <<~"MSG"
+          # Exposure of Sensitive Information via Monitor Agent API
+          * Severity:   High
+          * CVSS Score: 7.5
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * State:      bind = '#{element['bind'] || 'default'}'.
+                        (Note: In Fluentd 1.19.2 and earlier, the default value of bind is 0.0.0.0.)
+          * Description:
+            * EN: monitor_agent is exposed externally, allowing attackers to read Fluentd configuration details via its API.
+            * JA: monitor_agentによって公開されているAPIを悪用して、Fluentdの設定内容を読み取られる危険性があります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access,
+                  or allowing access only from localhost.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、ローカルホストからのみのアクセスを受け付けるなどの
+                  緩和策を適用してください。
+        MSG
+      end
+
+      # Fluentd: DoS via Gzip Decompression in http input plugin
+      @rules << Rule.new('source', 'http') { |element| true }.register_report_message do |element|
+        <<~"MSG"
+          # Denial of Service (DoS) via Gzip Decompression Bomb
+          * Severity:   High
+          * CVSS Score: 7.5
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * Description:
+            * EN: Sending maliciously crafted gzip-compressed data to Fluentd can consume excessive memory during
+                  decompression, potentially causing it to crash.
+            * JA: 細工したgzip圧縮データをFluentdへと送りつけることで、展開時に大量のメモリを消費させてFluentdをクラッシュ
+                  する危険性があります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access, or enforcing
+                  size limits when decompressing content using a reverse proxy.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、リバースプロキシ等を用いたGZIP展開時のサイズ制限等の
+                  緩和策を適用してください。
+        MSG
+      end
+
+      # Fluentd: DoS via Gzip Decompression in forward input plugin
+      @rules << Rule.new('source', 'forward') { |element| true }.register_report_message do |element|
+        <<~"MSG"
+          # Denial of Service (DoS) via Gzip Decompression Bomb
+          * Severity:   High
+          * CVSS Score: 7.5
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * Description:
+            * EN: Sending maliciously crafted gzip-compressed data to Fluentd can consume excessive memory during
+                  decompression, potentially causing it to crash.
+            * JA: 細工したgzip圧縮データを受信することで、展開時に大量のメモリを消費してFluentdがクラッシュする危険性が
+                  あります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access, or enforcing
+                  size limits when decompressing content using a reverse proxy.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、リバースプロキシ等を用いたGZIP展開時のサイズ制限等の
+                  緩和策を適用してください。
+        MSG
+      end
+
+      # fluent-plugin-s3: DoS via Gzip Decompression
+      @rules << Rule.new('source', 's3') { |element| true }.register_report_message do |element|
+        <<~"MSG"
+          # Denial of Service (DoS) via Gzip Decompression Bomb
+          * Severity:   Low
+          * CVSS Score: 2.7
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * Description:
+            * EN: Sending maliciously crafted gzip-compressed data from S3 to Fluentd can consume excessive memory when
+                  processing requests, potentially causing it to crash.
+            * JA: 細工したgzip圧縮データをS3から受信することで、展開時に大量のメモリを消費してFluentdがクラッシュする
+                  危険性があります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access, or enforcing
+                  size limits when decompressing content using a reverse proxy.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、リバースプロキシ等を用いたGZIP展開時のサイズ制限等の
+                  緩和策を適用してください。
+        MSG
+      end
+
+      # fluent-plugin-opentelemetry: DoS
+      @rules << Rule.new('source', 'opentelemetry') { |element| true }.register_report_message do |element|
+        <<~"MSG"
+          # Denial of Service (DoS) via Gzip Decompression Bomb or Malicious HTTP Requests
+          * Severity:   Moderate
+          * CVSS Score: 5.3
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * Description:
+            * EN: Sending maliciously crafted gzip-compressed data to Fluentd can consume excessive memory when processing
+                  requests, potentially causing it to crash.
+            * JA: 細工したgzip圧縮データやHTTPリクエストを受信することで、リクエスト処理時に大量のメモリを消費してFluentdが
+                  クラッシュする危険性があります。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigations such as restricting access, or enforcing
+                  size limits when processing requests using a reverse proxy.
+            * JA: すぐにパッケージを更新できない場合、アクセスの制限、リバースプロキシ等を用いたリクエストサイズ制限等の
+                  緩和策を適用してください。
+        MSG
+      end
+
+      # Fluentd: SSRF via ${endpoint} in http output plugin
+      @rules << Rule.new('match', 'http') { |element| element['endpoint']&.match?(%r[https?://[^/]*\$\{]) }.register_report_message do |element|
+        <<~"MSG"
+          # Server-Side Request Forgery (SSRF) via Placeholder Expansion in out_http
+          * Severity:   Moderate
+          * CVSS Score: 5.8
+          * Location:   <#{element.name}> - @type #{element['@type']}
+          * Description:
+            * EN: When out_http determines destination servers for data transmission based on tags, this vulnerability
+                  allows attackers to manipulate data transmission by sending crafted data, resulting in data being sent
+                  to servers other than the intended ones.
+            * JA: out_httpでデータを別のサーバーに送る際の送信先をタグから決定している場合、細工したデータを送りつけられると、
+                  本来の意図とは異なるサーバーへとデータを送信してしまうことが可能な脆弱性です。
+          * Workaround:
+            * EN: If you cannot immediately update the package, apply mitigation measures such as:
+                  * not dynamically setting hostnames with placeholders
+                  * restricting access from untrusted networks
+                  * allowing only specific hosts
+            * JA: すぐにパッケージを更新できない場合、プレースホルダーでホスト名を動的に設定しない、信頼できない
+                  ネットワークからのアクセスの制限、特定のホストのみ許可するなどの緩和策を適用してください。
+        MSG
+      end
+    end
+
+    def validate(config_path)
+      parsed_config = Fluent::Config.build(config_path: config_path, type: :guess)
+
+      parsed_config.elements.each do |element|
+        check_element(element)
+      end
+    end
+
+    private
+
+    def check_element(element)
+      @rules.each do |rule|
+        unless rule.safe?(element)
+          @vulnerabilities += 1
+          puts rule.report(element)
+          puts "=" * 115
+        end
+      end
+
+      element.elements.each do |child|
+        check_element(child)
+      end
+    end
+  end
+end

data/test/fluent/resources/safe/in_monitor_agent.conf

@@ -0,0 +1,4 @@
+<source>
+  @type monitor_agent
+  bind 127.0.0.1
+</source>

data/test/fluent/resources/safe/out_file_buffer_file.conf

@@ -0,0 +1,9 @@
+<match **>
+  @type file
+  path /tmp/fluent/${chunk_id}/test.log
+
+  <buffer>
+    @type file
+    path /tmp/fluent/buffer
+  </buffer>
+</match>

data/test/fluent/resources/safe/out_http.conf

@@ -0,0 +1,8 @@
+<match web.**>
+  @type http
+  endpoint http://example.com/api/logs
+  http_method post
+  <format>
+    @type json
+  </format>
+</match>

data/test/fluent/resources/unsafe/dos_in_forward.conf

@@ -0,0 +1,3 @@
+<source>
+  @type forward
+</source>

data/test/fluent/resources/unsafe/dos_in_http.conf

@@ -0,0 +1,3 @@
+<source>
+  @type http
+</source>

data/test/fluent/resources/unsafe/dos_in_opentelemetry.conf

@@ -0,0 +1,10 @@
+<source>
+  @type opentelemetry
+
+  tag opentelemetry
+
+  <http>
+    bind 127.0.0.1
+    port 4318
+  </http>
+</source>

data/test/fluent/resources/unsafe/dos_in_s3.conf

@@ -0,0 +1,5 @@
+<source>
+  @type s3
+  s3_bucket my-vulnerable-bucket
+  s3_region ap-northeast-1
+</source>

data/test/fluent/resources/unsafe/exposure_of_sensitive_information.conf

@@ -0,0 +1,8 @@
+<source>
+  @type monitor_agent
+</source>
+
+<source>
+  @type monitor_agent
+  bind 0.0.0.0
+</source>

data/test/fluent/resources/unsafe/remote_code_execution_buffer_file.conf

@@ -0,0 +1,20 @@
+<match **>
+  @type file
+  path /tmp/fluent/test.log
+
+  <buffer>
+    @type file
+    path /tmp/fluent/${tag}/buffer
+  </buffer>
+</match>
+
+
+<match **>
+  @type file
+  path /tmp/fluent/test.log
+
+  <buffer file>
+    @type file
+    path /tmp/fluent/${file}/buffer
+  </buffer>
+</match>

data/test/fluent/resources/unsafe/remote_code_execution_out_file.conf

@@ -0,0 +1,19 @@
+<match **>
+  @type file
+  path /tmp/fluent/${tag}/test.log
+
+  <buffer>
+    @type file
+    path /tmp/fluent/buffer
+  </buffer>
+</match>
+
+<match **>
+  @type file
+  path /tmp/fluent/${file}/test.log
+
+  <buffer file>
+    @type file
+    path /tmp/fluent/buffer
+  </buffer>
+</match>

data/test/fluent/resources/unsafe/remote_code_execution_out_secondary_file.conf

@@ -0,0 +1,15 @@
+<match **>
+  @type file
+  path /tmp/fluent/test.log
+
+  <buffer>
+    @type file
+    path /tmp/fluent/buffer
+  </buffer>
+
+  <secondary>
+    @type secondary_file
+    directory log/secondary/${file}
+    basename ${tag}_%Y%m%d%L_${message}
+  </secondary>
+</match>

data/test/fluent/resources/unsafe/remote_code_execution_secondary_out_file.conf

@@ -0,0 +1,24 @@
+<match **>
+  @type forward
+  path /tmp/fluent/test.log
+
+  <buffer>
+    @type file
+    path /tmp/fluent/buffer
+  </buffer>
+
+  <server>
+    host 127.0.0.1
+    port 24224
+  </server>
+
+  <secondary>
+    @type file
+    path /tmp/fluent/${file}/secondary
+
+    <buffer>
+      @type file
+      path /tmp/fluent/secondary_buffer
+    </buffer>
+  </secondary>
+</match>

data/test/fluent/resources/unsafe/remote_code_execution_store_out_file.conf

@@ -0,0 +1,16 @@
+<match **>
+  @type copy
+
+  <store>
+    @type file
+    path /tmp/fluent/copy_output/${file}
+  </store>
+
+  <store>
+    @type forward
+    <server>
+      host 127.0.0.1
+      port 24224
+    </server>
+  </store>
+</match>

data/test/fluent/resources/unsafe/ssrf_out_http.conf

@@ -0,0 +1,4 @@
+<match web.**>
+  @type http
+  endpoint http://${tag}.internal.example.com/api/logs
+</match>

data/test/fluent/resources/unsafe/test_vulnerable.yaml

@@ -0,0 +1,17 @@
+config:
+  # Exposure of Sensitive Information via Monitor Agent API
+  - source:
+      $type: monitor_agent
+      port: 24220
+
+  # Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
+  - source:
+      $type: http
+      port: 9880
+      bind: 0.0.0.0
+
+  # Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
+  - match:
+      $tag: web.**
+      $type: http
+      endpoint: http://${tag}.internal.example.com/api/logs

data/test/fluent/test_vulnerability_checker.rb

@@ -0,0 +1,141 @@
+require "test-unit"
+require "fluent/vulnerability_checker"
+
+class Fluent::VulnerabilityCheckerTest < Test::Unit::TestCase
+
+  def path(path)
+    File.expand_path(File.join(File.dirname(__FILE__), path))
+  end
+
+  sub_test_case "Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder " do
+    test "detect vulnerability in out_file config" do
+      config_path = path("./resources/unsafe/remote_code_execution_out_file.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(2, checker.vulnerabilities)
+    end
+
+    test "detect vulnerability in buffer_file config" do
+      config_path = path("./resources/unsafe/remote_code_execution_buffer_file.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(2, checker.vulnerabilities)
+    end
+
+    test "detect vulnerability in out_file in secondary section" do
+      config_path = path("./resources/unsafe/remote_code_execution_secondary_out_file.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+
+    test "detect vulnerability in out_file in store section" do
+      config_path = path("./resources/unsafe/remote_code_execution_store_out_file.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+
+    test "detect vulnerability in out_secondary_file" do
+      config_path = path("./resources/unsafe/remote_code_execution_out_secondary_file.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+
+    test "no detect vulnerability with safe config" do
+      config_path = path("./resources/safe/out_file_buffer_file.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(0, checker.vulnerabilities)
+    end
+  end
+
+  sub_test_case "Exposure of Sensitive Information via Monitor Agent API" do
+    test "detect vulnerability" do
+      config_path = path("./resources/unsafe/exposure_of_sensitive_information.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(2, checker.vulnerabilities)
+    end
+
+    test "no detect vulnerability with safe config" do
+      config_path = path("./resources/safe/in_monitor_agent.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(0, checker.vulnerabilities)
+    end
+  end
+
+  sub_test_case "Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward` " do
+    test "detect vulnerability in in_http config" do
+      config_path = path("./resources/unsafe/dos_in_http.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+
+    test "detect vulnerability in in_forward config" do
+      config_path = path("./resources/unsafe/dos_in_forward.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+  end
+
+  sub_test_case "Denial of Service (DoS) via Decompression Bomb in `in_s3`" do
+    test "detect vulnerability" do
+      config_path = path("./resources/unsafe/dos_in_s3.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+  end
+
+  sub_test_case "Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`" do
+    test "detect vulnerability in in_opentelemetry config" do
+      config_path = path("./resources/unsafe/dos_in_opentelemetry.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+  end
+
+  sub_test_case "Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`" do
+    test "detect vulnerability in out_http config" do
+      config_path = path("./resources/unsafe/ssrf_out_http.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(1, checker.vulnerabilities)
+    end
+
+    test "no detect vulnerability with safe config" do
+      config_path = path("./resources/safe/out_http.conf")
+      checker = Fluent::VulnerabilityChecker.new
+      checker.validate(config_path)
+
+      assert_equal(0, checker.vulnerabilities)
+    end
+  end
+
+  test "YAML format" do
+    config_path = path("./resources/unsafe/test_vulnerable.yaml")
+    checker = Fluent::VulnerabilityChecker.new
+    checker.validate(config_path)
+
+    assert_equal(3, checker.vulnerabilities)
+  end
+end

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: fluent-vulnerability_checker
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Shizuo Fujita
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A security scanner and vulnerability checker for Fluentd configuration
+  files.
+email:
+- fujita@clear-code.com
+executables:
+- fluent-vulnerabilitycheck
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/dependabot.yml"
+- ".github/workflows/linux.yml"
+- ".github/workflows/windows.yml"
+- ".rubocop.yml"
+- LICENSE
+- README.md
+- Rakefile
+- exe/fluent-vulnerabilitycheck
+- lib/fluent/vulnerability_checker.rb
+- test/fluent/resources/safe/in_monitor_agent.conf
+- test/fluent/resources/safe/out_file_buffer_file.conf
+- test/fluent/resources/safe/out_http.conf
+- test/fluent/resources/unsafe/dos_in_forward.conf
+- test/fluent/resources/unsafe/dos_in_http.conf
+- test/fluent/resources/unsafe/dos_in_opentelemetry.conf
+- test/fluent/resources/unsafe/dos_in_s3.conf
+- test/fluent/resources/unsafe/exposure_of_sensitive_information.conf
+- test/fluent/resources/unsafe/remote_code_execution_buffer_file.conf
+- test/fluent/resources/unsafe/remote_code_execution_out_file.conf
+- test/fluent/resources/unsafe/remote_code_execution_out_secondary_file.conf
+- test/fluent/resources/unsafe/remote_code_execution_secondary_out_file.conf
+- test/fluent/resources/unsafe/remote_code_execution_store_out_file.conf
+- test/fluent/resources/unsafe/ssrf_out_http.conf
+- test/fluent/resources/unsafe/test_vulnerable.yaml
+- test/fluent/test_vulnerability_checker.rb
+homepage: https://www.fluentd.org/
+licenses: []
+metadata:
+  homepage_uri: https://www.fluentd.org/
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.15
+specification_version: 4
+summary: A security scanner and vulnerability checker for Fluentd configuration files.
+test_files: []