Skip to content

Replace WEBrick because it is no longer recommended for production use #4648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sparrowt opened this issue Sep 26, 2024 · 10 comments · Fixed by #4898 or #4899 · May be fixed by #4900
Open

Replace WEBrick because it is no longer recommended for production use #4648

sparrowt opened this issue Sep 26, 2024 · 10 comments · Fixed by #4898 or #4899 · May be fixed by #4900
Labels
enhancement Feature request or improve operations

Comments

@sparrowt
Copy link

Describe the bug

Fluentd depends on webrick and uses it in quite a few places and thus although it's no longer included in ruby, it is required (e.g. the dockerfile installs ruby-webrick).

There have been a fair few CVEs reported for webrick in recent years, but more worrying is that in response to a recent security vulnerability report, one of the maintainers said "webrick is not for production".

If fluentd contines to rely on this, it feels risky (e.g. maybe future reports may not be patched so quickly / at all).

Perhaps it would be wise to migrate each usage away from webrick to a production-suitable replacement?

To Reproduce

Install fluentd - you will not be able to do this without also installing webrick.

Expected behavior

We should move away from production use of a package which the maintainers no longer recommend for production use.

Your Environment

- Fluentd version: all recent versions
- Package version: N/A
- Operating system: N/A
- Kernel version: N/A

Your Configuration

Any configuration.

Your Error Log

N/A

Additional context

No response
@daipom daipom added enhancement Feature request or improve operations and removed waiting-for-triage labels Sep 27, 2024
@daipom daipom changed the title Fluentd relies on webrick which is no longer recommended for production use Replace WEBrick because it is no longer recommended for production use Sep 27, 2024
@daipom daipom added the help wanted We need your help! label Sep 27, 2024
@daipom
Copy link
Contributor

daipom commented Sep 27, 2024

Thanks for your report.
This is more likely enhancement request rather than bug report.
I think we need more opinions and ideas.

@Athishpranav2003
Copy link
Contributor

@daipom i saw this alternative
https://github.com/socketry/falcon

Not sure if there are other alternatives, need to research more

@Athishpranav2003 Athishpranav2003 mentioned this issue Sep 28, 2024
Closed
@daipom
Copy link
Contributor

daipom commented Oct 2, 2024

@Athishpranav2003 Thanks!
So, Falcon is an option for us!

Sorry, since I'm unfamiliar with these libraries and don't have much time this month, I cannot say for sure about the direction now.

@Athishpranav2003
Copy link
Contributor

It's similar for me
Maybe others active in Ruby community can give some comments on this
@Watson1978 ?

@Watson1978
Copy link
Contributor

Fluentd has been used async-http and webrick for http server in in_http and RPC.
I think it would be better to integrate them into one library (async-http, falcon or another).

@dentarg
Copy link

dentarg commented Oct 2, 2024

The most popular Ruby web server is Puma: https://github.com/puma/puma

@Leodau
Copy link

Leodau commented Feb 5, 2025

Can we please get an update on this one?

https://security.snyk.io/vuln/SNYK-RUBY-WEBRICK-8068535

@Watson1978
Copy link
Contributor

@Leodau Seems that the latest fluent-package LTS v5.0.5 contains webrick v1.8.2.
https://github.com/fluent/fluent-package-builder/releases/tag/v5.0.5

@daipom
Copy link
Contributor

daipom commented Apr 10, 2025

Fluentd uses WEBrick for the following features mainly:

  • RPC server
  • http_server plugin helper (only when async is not installed, the feature is fallbacked to WEBrick)

We should remove the fallback feature of http_server plugin helper.
It was made for supporting environments whose Ruby version < 2.3.

For the RPC server, we should consider using http_server plugin helper.

@daipom daipom moved this to To-Do in Fluentd Kanban Apr 10, 2025
@daipom daipom removed the help wanted We need your help! label Apr 10, 2025
This was referenced Apr 10, 2025
Merged
Merged
Draft
@kenhys kenhys closed this as completed in e445acf Apr 10, 2025
@github-project-automation github-project-automation bot moved this from To-Do to Done in Fluentd Kanban Apr 10, 2025
@daipom daipom reopened this Apr 10, 2025
@daipom daipom moved this from Done to Work-In-Progress in Fluentd Kanban Apr 10, 2025
@daipom daipom closed this as completed in 83c19d1 Apr 10, 2025
@github-project-automation github-project-automation bot moved this from Work-In-Progress to Done in Fluentd Kanban Apr 10, 2025
@daipom daipom reopened this Apr 10, 2025
@daipom daipom moved this from Done to To-Do in Fluentd Kanban Apr 10, 2025
@daipom
Copy link
Contributor

daipom commented Apr 10, 2025
edited
Loading

Remaining:

  • RPC server
  • in_http (WEBrick::HTTPUtils)

I have no idea how to replace multipart/form-data handling in in_http.

fluentd/lib/fluent/plugin/in_http.rb

Lines 539 to 541 in 46372dd

elsif @content_type =~ /^multipart\/form-data; boundary=(.+)/
boundary = WEBrick::HTTPUtils.dequote($1)
params.update WEBrick::HTTPUtils.parse_form_data(@body, boundary)

It may not be important to avoid using WEBrick::HTTPUtils since it is just utils.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Feature request or improve operations
Projects
Fluentd Kanban
Status: To-Do
Milestone
No milestone
6 participants
@dentarg @Watson1978 @sparrowt @Leodau @daipom @Athishpranav2003