LuGuangming opened a new issue, #57058: URL: https://github.com/apache/doris/issues/57058
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues. ### Version 2.0, 2.1, 3.0 ### What's Wrong? Implementing a plugin for remote invocation that is directly registered with the service through the client, and calling it directly in Doris without any default protections, could lead to unknown intrusive security issues. For example: 1. create a plugin: <img width="875" height="239" alt="Image" src="https://github.com/user-attachments/assets/8c7cc296-cfa3-4d81-af14-1fa8d06316c2"; /> 2. remote install plugin: <img width="875" height="48" alt="Image" src="https://github.com/user-attachments/assets/c37b45b7-6eaa-4163-a701-a9a28bf88daf"; /> 3. Start a server to listen, and the command is successfully executed. <!-- Failed to upload "image.png" --> ### What You Expected? During remote plugin registration, constraints and restrictions need to be managed to prevent RCE security vulnerabilities. ### How to Reproduce? _No response_ ### Anything Else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
