nagios2 plugin output sanitization

[Matthias Flacke]

John P. Rouillard wrote:
> In message <1194426414 at msgid.manchmal.in-ulm.de>,
> Christoph Biedl writes:
>> Ethan Galstad wrote...
>>
>>> The only thing that really needs to be escaped/sanitized in my opinion 
>>> is the plugin output.  Everything else (host names, etc.) is specified 
>>> by the admin in the config files.  The output from plugin can vary 
>>> each/every invocation, so the safety of the output it unknown at any 
>>> given time.
>> That's my point.  The plugin output is still sent to the browser as-is,
>> in other words,
>>
[snip some Debian patching]
> 
> This is something that would be good to have switchable at the service
> object level, or maybe at the command object level. My claim is it's
> the plugins responsibility to sanitize it's output. After all it's
> running as a trusted user, and the root user defines the plugins as
> much as the hostnames or other non-escaped stuff.
> 
> Returning HTML from the plugin is not a bad thing especially with the
> larger output size we now have. I can easily see the plugin doing some
> diagnosis and providing a link to the page that describes the problem
> and solution for an operator to implement.
> 
> If service/command objects get a "sanitize_output" option, I claim the
> service should inherit it's default from that set in the command
> object it uses. If there is no setting in the command object, it
> inherits from a nagios.cfg setting.
> 
> If the service is passive, there can be a check_command (even if it is
> check_dummy), but it makes more sense to set the sanitizing status at
> the service level so you can see that any passive results that come in
> (possibly from a less trustworthy source) will be sanitized.

I fully agree that the plugin takes responsibility for its output, no matter 
whether it speaks plain lines, HTML or XML. With Nagios 3.x we will see new 
plugins coming around extensively using the new liberties.

The question is how to ensure that the plugin output which Nagios receives is 
really the same the plugin sent. There are multiple causes in between which 
might change it: cutting off due to small buffers, or misconfiguration, 
filtering, escaping, quoting issues...

A solution could be that the plugin provides a CRC for its output which is 
checked afterwards. This could be included in the sanitized_output option.

Generally I would say that it's Nagios part to validate the sanity of the 
transport and raise UNKNOWN if not ok.

Greetz,
Matthias

-- 
http://my-plugin.de/check_multi

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/