Skip to content

resource: specify full path for ioreg command in Darwin host ID reader#7818

Merged
pellared merged 4 commits intoopen-telemetry:mainfrom
pellared:harden-ioreg
Jan 21, 2026
Merged

resource: specify full path for ioreg command in Darwin host ID reader#7818
pellared merged 4 commits intoopen-telemetry:mainfrom
pellared:harden-ioreg

Conversation

@pellared
Copy link
Copy Markdown
Member

@pellared pellared commented Jan 20, 2026
edited
Loading

Use full path when calling ioreg to mitigate potential malicious code execution in case of Path Interception.

Note that path interception typically requires the attacker to influence the environment or place a malicious executable earlier in $PATH, which, in this context, generally implies the script itself would need to be introduced/uploaded (or otherwise placed/executed) in the target environment for the attacker’s substitute ioreg to be reached during execution.

Reference:

@codecov
Copy link
Copy Markdown

codecov bot commented Jan 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.7%. Comparing base (37aa18d) to head (7cfe838).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@          Coverage Diff          @@
##            main   #7818   +/-   ##
=====================================
  Coverage   81.6%   81.7%           
=====================================
  Files        304     304           
  Lines      23240   23240           
=====================================
+ Hits       18985   18990    +5     
+ Misses      3865    3861    -4     
+ Partials     390     389    -1
Files with missing lines Coverage Δ
sdk/resource/host_id.go 96.8% <100.0%> (ø)

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@pellared pellared marked this pull request as ready for review January 20, 2026 20:38
@pellared pellared changed the title fix: specify full path for ioreg command in Darwin host ID reader resource: specify full path for ioreg command in Darwin host ID reader Jan 20, 2026
@pellared pellared added this to the v1.40.0 milestone Jan 20, 2026
flc1125
flc1125 approved these changes Jan 21, 2026
View reviewed changes
Comment thread CHANGELOG.md Outdated
pellared and others added 2 commits January 21, 2026 17:18
@pellared pellared merged commit d45961b into open-telemetry:main Jan 21, 2026
33 checks passed
@pellared pellared deleted the harden-ioreg branch January 22, 2026 07:10
@MrAlias MrAlias mentioned this pull request Feb 2, 2026
Merged
MrAlias added a commit that referenced this pull request Feb 2, 2026
@MrAlias
Release v1.40.0 (#7859)
a3a5317 
### Added

- Add `Enabled` method to all synchronous instrument interfaces
(`Float64Counter`, `Float64UpDownCounter`, `Float64Histogram`,
`Float64Gauge`, `Int64Counter`, `Int64UpDownCounter`, `Int64Histogram`,
`Int64Gauge`,) in `go.opentelemetry.io/otel/metric`. This stabilizes the
synchronous instrument enabled feature, allowing users to check if an
instrument will process measurements before performing computationally
expensive operations. (#7763)
- Add `AlwaysRecord` sampler in `go.opentelemetry.io/otel/sdk/trace`.
(#7724)
- Add `go.opentelemetry.io/otel/semconv/v1.39.0` package. The package
contains semantic conventions from the `v1.39.0` version of the
OpenTelemetry Semantic Conventions. See the [migration
documentation](https://github.com/open-telemetry/opentelemetry-go/blob/298cbedf256b7a9ab3c21e41fc5e3e6d6e4e94aa/semconv/v1.39.0/MIGRATION.md)
for information on how to upgrade from
`go.opentelemetry.io/otel/semconv/v1.38.0.` (#7783, #7789)

### Changed

- `Exporter` in `go.opentelemetry.io/otel/exporter/prometheus` ignores
metrics with the scope `go.opentelemetry.io/contrib/bridges/prometheus`.
This prevents scrape failures when the Prometheus exporter is
misconfigured to get data from the Prometheus bridge. (#7688)
- Improve performance of concurrent histogram measurements in
`go.opentelemetry.io/otel/sdk/metric`. (#7474)
- Add experimental observability metrics in
`go.opentelemetry.io/otel/exporters/stdout/stdoutmetric`. (#7492)
- Improve the concurrent performance of `HistogramReservoir` in
`go.opentelemetry.io/otel/sdk/metric/exemplar` by 4x. (#7443)
- Improve performance of concurrent synchronous gauge measurements in
`go.opentelemetry.io/otel/sdk/metric`. (#7478)
- Improve performance of concurrent exponential histogram measurements
in `go.opentelemetry.io/otel/sdk/metric`. (#7702)
- Improve the concurrent performance of `FixedSizeReservoir` in
`go.opentelemetry.io/otel/sdk/metric/exemplar`. (#7447)
- The `rpc.grpc.status_code` attribute in the experimental metrics
emitted from
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` is
replaced with the `rpc.response.status_code` attribute to align with the
semantic conventions. (#7854)
- The `rpc.grpc.status_code` attribute in the experimental metrics
emitted from
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc` is
replaced with the `rpc.response.status_code` attribute to align with the
semantic conventions. (#7854)

### Fixed

- Fix bad log message when key-value pairs are dropped because of key
duplication in `go.opentelemetry.io/otel/sdk/log`. (#7662)
- Fix `DroppedAttributes` on `Record` in
`go.opentelemetry.io/otel/sdk/log` to not count the non-attribute
key-value pairs dropped because of key duplication. (#7662)
- Fix `SetAttributes` on `Record` in `go.opentelemetry.io/otel/sdk/log`
to not log that attributes are dropped when they are actually not
dropped. (#7662)
- `WithHostID` detector in `go.opentelemetry.io/otel/sdk/resource` to
use full path for `ioreg` command on Darwin (macOS). (#7818)
- Fix missing `request.GetBody` in
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` to
correctly handle HTTP2 GOAWAY frame. (#7794)

### Deprecated

- Deprecate `go.opentelemetry.io/otel/exporters/zipkin`. For more
information, see the [OTel blog post deprecating the Zipkin
exporter](https://opentelemetry.io/blog/2025/deprecating-zipkin-exporters/).
(#7670)

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This was referenced Mar 3, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmathieu dmathieu dmathieu approved these changes

@dashpole dashpole dashpole approved these changes

@MrAlias MrAlias MrAlias approved these changes

@flc1125 flc1125 flc1125 approved these changes

@XSAM XSAM Awaiting requested review from XSAM XSAM is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.40.0

Development

Successfully merging this pull request may close these issues.

5 participants

@pellared @dmathieu @dashpole @MrAlias @flc1125