Potential buffer overflow in extract_cloud_host cloud_id parsing

[coderabbitai]

Description

A potential buffer overflow exists in the extract_cloud_host function in plugins/out_es/es_conf_parse.c. The function uses fixed-size cloud_host_buf[256] combined with unbounded strcpy/strcat operations to construct the cloud host string.

Location

File: plugins/out_es/es_conf_parse.c
Function: extract_cloud_host
Lines: ~130-138

Issue

While the base64-decoded buffer is also 256 bytes (limiting input), a malformed or malicious Cloud ID could still cause buffer overflow when constructing the final host string with multiple concatenations.

Suggested Mitigation

Replace the strcpy/strcat chain with snprintf and add bounds checking:

int written;
if (port != NULL) {
    written = snprintf(cloud_host_buf, sizeof(cloud_host_buf),
                       "%s.%s:%s", host, region, port);
}
else {
    written = snprintf(cloud_host_buf, sizeof(cloud_host_buf),
                       "%s.%s", host, region);
}
if (written < 0 || (size_t)written >= sizeof(cloud_host_buf)) {
    flb_plg_error(ctx->ins, "cloud_host buffer overflow");
    return NULL;
}

Context

This is existing code that was moved from es_conf.c as part of the Elasticsearch Upstream Servers refactoring. The issue was not introduced by the refactoring but existed in the original code.

References

• Original PR: es_out: support Upstream Servers with configuration overriding #7608
• Review comment: es_out: support Upstream Servers with configuration overriding #7608 (comment)
• Original code location:

  fluent-bit/plugins/out_es/es_conf.c

  Line 89 in 797031c

  strcpy(cloud_host_buf, host);

Reported by: @coderabbitai
Requested by: @mabrarov