search

logstash-plugins / logstash-output-file

Apache License 2.0
23 stars 53 forks source link

File: the event tried to write outside the files root, writing the event to the failure file #37

Open yangxikun opened 8 years ago

yangxikun commented 8 years ago

logstash config:

input {
        file {
                path => "/home/roketyyang/nginx.log.1"
                type => "nginx"
                start_position => "beginning"
                codec => json
        }
}
filter {
        mutate {
                split => ["upstreamtime", ","]
        }
        mutate {
                convert => ["upstreamtime", "float"]
        }
}
output {
        file {
                path => "./logs/%{+yyyy/MM/dd}/%{host}.log"
        }
}

When run bin/logstash -f conf/nginx.conf, some error message:

Settings: Default pipeline workers: 4
Logstash startup completed
/home/roketyyang/software/logstash-2.2.2/logs/2016/03/22/10.123.5.34.log {:level=>:warn}
/home/roketyyang/software/logstash-2.2.2/logs/%{+yyyy/MM/dd}/ {:level=>:warn}
File: the event tried to write outside the files root, writing the event to the failure file {
……………………………………………………………………………………………………
}

The /home/roketyyang/software/logstash-2.2.2/logs/2016/03/22/10.123.5.34.log {:level=>:warn} is a debug output by:

private
  def write_event(event, data)
    file_output_path = generate_filepath(event)
      @logger.warn(file_output_path) #add by me
   ……………………
  end

The /home/roketyyang/software/logstash-2.2.2/logs/%{+yyyy/MM/dd}/ {:level=>:warn} is a debug output by:

private
  def inside_file_root?(log_path)
    target_file = File.expand_path(log_path)
    @logger.warn("#{@file_root.to_s}/") #add by me
    return target_file.start_with?("#{@file_root.to_s}/")
  end

Is there a bug with @file_root, or how could I fix the error?

ebuildy commented 8 years ago

Hello logstash team, any new about this very annoying bug? Why this check?

jordansissel commented 8 years ago

The check is there to prevent writes to paths outside the main path given. It would be bad if, for example, Logstash let an event cause a write to /path/to/thing/../../../etc/passwd

It may be the check is too sensitive, but I am on my phone and can't easily review the code.

On Friday, August 12, 2016, Thomas Decaux notifications@github.com wrote:

Hello logstash team, any new about this very annoying bug? Why this check?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/logstash-plugins/logstash-output-file/issues/37#issuecomment-239483679, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIC6iNuo1NMVVD_F1uVSgQGytXH7oEBks5qfJY1gaJpZM4H17QZ .

ebuildy commented 8 years ago

Thanks you, i understand ! Maybe an option to disable it ? (Security can be achieved by linux io permissions, isint )

Le 12 août 2016 7:04 PM, "Jordan Sissel" notifications@github.com a écrit :

The check is there to prevent writes to paths outside the main path given. It would be bad if, for example, Logstash let an event cause a write to /path/to/thing/../../../etc/passwd

It may be the check is too sensitive, but I am on my phone and can't easily review the code.

On Friday, August 12, 2016, Thomas Decaux notifications@github.com wrote:

Hello logstash team, any new about this very annoying bug? Why this check?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/logstash-plugins/logstash-output-file/ issues/37#issuecomment-239483679, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIC6iNuo1NMVVD_ F1uVSgQGytXH7oEBks5qfJY1gaJpZM4H17QZ .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/logstash-plugins/logstash-output-file/issues/37#issuecomment-239502646, or mute the thread https://github.com/notifications/unsubscribe-auth/ABKc6QQkgBGmM8hS1KTRuGkZLw1Qznl8ks5qfKeZgaJpZM4H17QZ .