Skip to content

[Improve][Agent] Add command whitelist validation in ModuleManager #12149

Description

@spiritxishi

Description

Background

ModuleManager currently executes installCommand, startCommand, stopCommand, restartCommand, and uninstallCommand from ModuleConfig without any validation. isModuleConfigValid() only performs null checks (line 160-193), leaving no defense against malicious command payloads distributed via the Manager.

Affected Code:

  • inlong-agent/agent-installer/.../ModuleManager.java:489,496,510,517,524 (command execution)
  • inlong-agent/agent-installer/.../ModuleManager.java:160-193 (validation)

Proposed Fix

Implement a command whitelist (allowlist) on the Agent side so that only pre-approved commands or patterns can be executed, regardless of what the Manager distributes.

Acceptance Criteria

  • Define a configurable whitelist of allowed commands/patterns
  • Validate all 5 command fields against the whitelist before execution
  • Reject and log any command not matching the whitelist
  • Provide clear documentation on how to extend the whitelist

InLong Component

InLong Agent

Are you willing to submit PR?

  • Yes, I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions