snclient icon indicating copy to clipboard operation
snclient copied to clipboard

external script, nasty characters & argument injection

Open k9fr4n opened this issue 1 year ago • 3 comments

hello

i defined a command in "[/settings/external scripts/scripts]" section that uses a binary check-ping.exe

check_ping = bin/check-ping.exe /host '$ARG1$'

I set the parameter "allow nasty characters" to false for in the category "[/settings/external scripts]"

but i can pass this kind of command:

./check_nrpe -H X.X.X.X -c check_ping -a "google.fr' || echo coucou ||'''"
coucou

Can you check if the option "allow nasty characters" is fonctionnal for external script ?

Regards

k9fr4n avatar Sep 27 '24 15:09 k9fr4n

actually the nrpe server uses it's own settings for those things, ex.:

[/settings/NRPE/server]
allow nasty characters = false
allow arguments = true

then it works as expected.

/usr/lib/nagios/plugins/check_nrpe -H localhost -c check_ping -a "google.fr' || echo coucou ||'''"
Exception processing request: Request contained illegal characters (check the allow nasty characters option).

So check your nrpe section to see what's configured there. Right now the settings from [/settings/external scripts/scripts] are not used for nrpe.

sni avatar Sep 28 '24 12:09 sni

thanks for the reply, it works.

so in what context does the "allow nasty characters" work in the "[/settings/external scripts/scripts]" section ?

Thanks

k9fr4n avatar Oct 01 '24 08:10 k9fr4n

right now probably not at all. But might be a good idea to use them together with the settings from the NRPE/Web section.

sni avatar Oct 01 '24 09:10 sni

i misread the issue, your check_ping is not the internal check_ping check, but a custom external script, right? Because the internal check_ping does check for nasty characters. So if it is a external script, then indeed the nasty character settings from [/settings/external scripts] should be used. I reworked all the nasty character handling, so it will use the settings from [/settings/external scripts] as well as from [/settings/NRPE/server] or [/settings/WEB/server] depending on your entry point.

sni avatar Apr 04 '25 12:04 sni

thanks for bringing this to our attention. I'd say this is fixed now.

sni avatar Apr 11 '25 11:04 sni