-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
in_splunk: splunk token validation must be case-insensitive #9518
Conversation
…at's the behavior from Splunk HEC Signed-off-by: lecaros <[email protected]>
@lecaros where we can confirm in Splunk docs that indeed auth token are not case sensitive ? (it does not sound normal since it's a security mechanism) |
@edsiper I agree on that, it's way easier to break it if it's case-insensitive. However, I confirmed the behavior using latest image of Splunk, as explained in the repro. |
Or, should we provide case-sensitive or case-insensitive option on in_splunk? This could preserve backward compatibility. |
As per Splunk docs, the tokens are GUID (UUID).
https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector Based on RFC 9562, these are hexadecimal representations and, therefore, are case-insensitive.
https://datatracker.ietf.org/doc/html/rfc9562 @edsiper @cosmo0920, please let me know if this makes sense. |
From the RFC:
Yes, it makes sense to me. |
Changes validation of received Splunk token to be case-insensitive, as the Splunk HEC does.
fixes #9517
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.