Re: [Nagios-devel] nagios2 plugin output sanitization

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] nagios2 plugin output sanitization

Post by Guest »


In message ,
Christoph Biedl writes:
>Ethan Galstad wrote...
>
>> The only thing that really needs to be escaped/sanitized in my opinion
>> is the plugin output. Everything else (host names, etc.) is specified
>> by the admin in the config files. The output from plugin can vary
>> each/every invocation, so the safety of the output it unknown at any
>> given time.
>
>That's my point. The plugin output is still sent to the browser as-is,
>in other words,
>
>| define command {
>| command_name xss
>| command_line /bin/echo 'Hello world>.'
>| }
>
>stil opens a door for a lot of funny things as long as an attacker is
>able to control plugin output.
>
>My workaround, as also sent to the Debian BTS:
>
>--- nagios-2.10.ORIG/cgi/cgiutils.c 2007-10-21 16:39:51.000000000 +0200
>+++ nagios-2.10/cgi/cgiutils.c 2007-11-07 10:11:05.000000000 +0100
>@@ -1418,8 +1418,8 @@
> char * strip_plugin_html(char *input){
>
> /* TODO */
>-
>- return input;
>+ /* Use html_encode for the time being */
>+ return html_encode (input);
> }

This is something that would be good to have switchable at the service
object level, or maybe at the command object level. My claim is it's
the plugins responsibility to sanitize it's output. After all it's
running as a trusted user, and the root user defines the plugins as
much as the hostnames or other non-escaped stuff.

Returning HTML from the plugin is not a bad thing especially with the
larger output size we now have. I can easily see the plugin doing some
diagnosis and providing a link to the page that describes the problem
and solution for an operator to implement.

If service/command objects get a "sanitize_output" option, I claim the
service should inherit it's default from that set in the command
object it uses. If there is no setting in the command object, it
inherits from a nagios.cfg setting.

If the service is passive, there can be a check_command (even if it is
check_dummy), but it makes more sense to set the sanitizing status at
the service level so you can see that any passive results that come in
(possibly from a less trustworthy source) will be sanitized.

-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”