From 2f011d8daed92d6c8f56aaa980f2bd66d9c499ab Mon Sep 17 00:00:00 2001 From: Kentaro Hayashi Date: Tue, 10 Mar 2026 17:37:34 +0900 Subject: [PATCH] in_debug_agent: accept only from local machine by default (#5272) **Which issue(s) this PR fixes**: Fixes # **What this PR does / why we need it**: Usually, in_debug_agent must be explicitly enabled by users who know what you do. But, there is an security concern which accepts external access by default even though user must enable it explicitly. With this commit, change that behavior a bit secure by default. **Docs Changes**: Need to update default. https://docs.fluentd.org/monitoring-fluentd/monitoring-rest-api#datadog-dd-agent-integration **Release Note**: N/A Signed-off-by: Kentaro Hayashi Signed-off-by: github-actions[bot] --- lib/fluent/plugin/in_debug_agent.rb | 2 +- test/plugin/test_in_debug_agent.rb | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/fluent/plugin/in_debug_agent.rb b/lib/fluent/plugin/in_debug_agent.rb index e8e9c625c7..1ee9c3671a 100644 --- a/lib/fluent/plugin/in_debug_agent.rb +++ b/lib/fluent/plugin/in_debug_agent.rb @@ -26,7 +26,7 @@ def initialize super end - config_param :bind, :string, default: '0.0.0.0' + config_param :bind, :string, default: '127.0.0.1' config_param :port, :integer, default: 24230 config_param :unix_path, :string, default: nil #config_param :unix_mode # TODO diff --git a/test/plugin/test_in_debug_agent.rb b/test/plugin/test_in_debug_agent.rb index 24f73a8d1a..81ece6c7c6 100644 --- a/test/plugin/test_in_debug_agent.rb +++ b/test/plugin/test_in_debug_agent.rb @@ -46,4 +46,12 @@ def test_multi_worker_environment_with_unix_path assert_false d.instance.multi_workers_ready? end end + + def test_default_configuration + assert_nothing_raised do + d = create_driver + assert_equal(['127.0.0.1', 24230, 'Fluent::Engine'], + [d.instance.bind, d.instance.port, d.instance.object]) + end + end end