nagios2 plugin output sanitization

John P. Rouillard rouilj+nagiosdev at cs.umb.edu
Thu Nov 8 02:57:11 CET 2007

Previous message: nagios2 plugin output sanitization
Next message: nagios2 plugin output sanitization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <1194426414 at msgid.manchmal.in-ulm.de>,
Christoph Biedl writes:
>Ethan Galstad wrote...
>
>> The only thing that really needs to be escaped/sanitized in my opinion 
>> is the plugin output.  Everything else (host names, etc.) is specified 
>> by the admin in the config files.  The output from plugin can vary 
>> each/every invocation, so the safety of the output it unknown at any 
>> given time.
>
>That's my point.  The plugin output is still sent to the browser as-is,
>in other words,
>
>| define command {
>|     command_name xss
>|     command_line /bin/echo 'Hello <font color="red" size="+10">world</font
>>.'
>| }
>
>stil opens a door for a lot of funny things as long as an attacker is
>able to control plugin output.
>
>My workaround, as also sent to the Debian BTS:
>
>--- nagios-2.10.ORIG/cgi/cgiutils.c     2007-10-21 16:39:51.000000000 +0200
>+++ nagios-2.10/cgi/cgiutils.c  2007-11-07 10:11:05.000000000 +0100
>@@ -1418,8 +1418,8 @@
> char * strip_plugin_html(char *input){
>
>        /* TODO */
>-
>-       return input;
>+       /* Use html_encode for the time being */
>+       return html_encode (input);
>        }

This is something that would be good to have switchable at the service
object level, or maybe at the command object level. My claim is it's
the plugins responsibility to sanitize it's output. After all it's
running as a trusted user, and the root user defines the plugins as
much as the hostnames or other non-escaped stuff.

Returning HTML from the plugin is not a bad thing especially with the
larger output size we now have. I can easily see the plugin doing some
diagnosis and providing a link to the page that describes the problem
and solution for an operator to implement.

If service/command objects get a "sanitize_output" option, I claim the
service should inherit it's default from that set in the command
object it uses. If there is no setting in the command object, it
inherits from a nagios.cfg setting.

If the service is passive, there can be a check_command (even if it is
check_dummy), but it makes more sense to set the sanitizing status at
the service level so you can see that any passive results that come in
(possibly from a less trustworthy source) will be sanitized.

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Previous message: nagios2 plugin output sanitization
Next message: nagios2 plugin output sanitization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list