open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/voyage/lib/exporters
History
Kjell Tore Guttormsen 8dc3090080 fix(voyage): permanently block cloud metadata endpoints in OTLP validator (CWE-918) 
Found by simulert v4.1 smoke — doc/code-drift in v4.1 ship:
docs/observability.md claims "Cloud metadata endpoints (169.254.169.254)
are permanently blocked" but the validator allowed them when
VOYAGE_OTEL_ALLOW_PRIVATE=1. Cloud metadata services expose IAM
credentials and instance secrets — operator-trust extended to
RFC-1918 home-lab access does NOT extend here, because the
blast-radius (cloud-account compromise) is qualitatively different.

New HARD_BLOCKED_HOSTS set checked BEFORE the link-local opt-in path:
  - 169.254.169.254  (AWS / GCP / Azure metadata)
  - 100.100.100.200  (AliCloud metadata)
  - metadata.google.internal
  - metadata.azure.com

New error code ENDPOINT_HARD_BLOCKED. Existing test for
ENDPOINT_LINK_LOCAL_REJECTED on 169.254.169.254 updated to assert
the new code; 3 new tests verify the hard-block holds even with
VOYAGE_OTEL_ALLOW_PRIVATE=1, plus AliCloud + GCP-hostname coverage.

Tests: 487 → 490 pass + 2 skipped.
2026-05-09 10:23:51 +02:00
..
endpoint-validator.mjs fix(voyage): permanently block cloud metadata endpoints in OTLP validator (CWE-918) 2026-05-09 10:23:51 +02:00
field-allowlist.mjs feat(voyage): add lib/exporters/{path,endpoint,field-allowlist}-validators — CWE-22, CWE-918, CWE-212 mitigering 2026-05-09 09:36:00 +02:00
otlp-format.mjs feat(voyage): add lib/exporters/otlp-format.mjs — OTLP/JSON enum-integer SC #13 2026-05-09 09:32:29 +02:00
path-validator.mjs feat(voyage): add lib/exporters/{path,endpoint,field-allowlist}-validators — CWE-22, CWE-918, CWE-212 mitigering 2026-05-09 09:36:00 +02:00
textfile-format.mjs feat(voyage): add lib/exporters/textfile-format.mjs — Prometheus text-format pure transform SC #12 2026-05-09 09:30:58 +02:00