Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
fix(security): fix vulnerability for file loading (#7227) (#8847)
Browse files Browse the repository at this point in the history 
* fix(security): fix vulnerability for file loading (#7227)
* fix(code): fix PSR2
* fix(code): correct variable name
Co-authored-by: victorvassilev <acedweb@gmail.com>
  • Loading branch information
@lpinsivy
lpinsivy committed Jul 16, 2020
1 parent 7a2edef commit 9f76e8c
Showing 1 changed file with 91 additions and 39 deletions.
130 changes: 91 additions & 39 deletions www/include/Administration/brokerPerformance/brokerPerformance.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,75 +42,109 @@
require_once "./class/centreonGMT.class.php";
require_once realpath(dirname(__FILE__) . "/../../../../config/centreon.config.php");

function createArrayStats($arryFromJson)
function createArrayStats($arrayFromJson)
{
$io = array('class' => 'stats_lv1');

if (isset($arryFromJson['state'])) {
$io[_('State')]['value'] = $arryFromJson['state'];
if ($arryFromJson['state'] == "disconnected") {
if (isset($arrayFromJson['state'])) {
$io[_('State')]['value'] = $arrayFromJson['state'];
if ($arrayFromJson['state'] == "disconnected") {
$io[_('State')]['class'] = "badge service_critical";
} elseif ($arryFromJson['state'] == "listening" || $arryFromJson['state'] == "connected" || $arryFromJson['state'] == "connecting") {
} elseif (
$arrayFromJson['state'] == "listening"
|| $arrayFromJson['state'] == "connected"
|| $arrayFromJson['state'] == "connecting"
) {
$io[_('State')]['class'] = "badge service_ok";
} elseif ($arryFromJson['state'] == "sleeping" || $arryFromJson['state'] == "blocked") {
} elseif ($arrayFromJson['state'] == "sleeping" || $arrayFromJson['state'] == "blocked") {
$io[_('State')]['class'] = "badge service_warning";
}
}

if (isset($arryFromJson['status']) && $arryFromJson['status']) {
$io[_('Status')] = array('value' => $arryFromJson['status'], 'isTimestamp' => false);
if (isset($arrayFromJson['status']) && $arrayFromJson['status']) {
$io[_('Status')] = array('value' => $arrayFromJson['status'], 'isTimestamp' => false);
}

if (isset($arryFromJson['last_event_at']) && $arryFromJson['last_event_at'] != -1) {
$io[_('Last event at')] = array('value' => $arryFromJson['last_event_at'], 'isTimestamp' => true);
if (isset($arrayFromJson['last_event_at']) && $arrayFromJson['last_event_at'] != -1) {
$io[_('Last event at')] = array('value' => $arrayFromJson['last_event_at'], 'isTimestamp' => true);
}

if (isset($arryFromJson['last_connection_attempt']) && $arryFromJson['last_connection_attempt'] != -1) {
$io[_('Last connection attempt')] = array('value' => $arryFromJson['last_connection_attempt'], 'isTimestamp' => true);
if (isset($arrayFromJson['last_connection_attempt']) && $arrayFromJson['last_connection_attempt'] != -1) {
$io[_('Last connection attempt')] = array(
'value' => $arrayFromJson['last_connection_attempt'],
'isTimestamp' => true
);
}

if (isset($arryFromJson['last_connection_success']) && $arryFromJson['last_connection_success'] != -1) {
$io[_('Last connection success')] = array('value' => $arryFromJson['last_connection_success'], 'isTimestamp' => true);
;
if (isset($arrayFromJson['last_connection_success']) && $arrayFromJson['last_connection_success'] != -1) {
$io[_('Last connection success')] = array(
'value' => $arrayFromJson['last_connection_success'],
'isTimestamp' => true
);
}

if (isset($arryFromJson['one_peer_retention_mode'])) {
$io[_('One peer retention mode')] = array('value' => $arryFromJson['one_peer_retention_mode'], 'isTimestamp' => false);
if (isset($arrayFromJson['one_peer_retention_mode'])) {
$io[_('One peer retention mode')] = array(
'value' => $arrayFromJson['one_peer_retention_mode'],
'isTimestamp' => false
);
}

if (isset($arryFromJson['event_processing_speed'])) {
$io[_('Event processing speed')] = array('value' => sprintf("%.2f events/s", $arryFromJson['event_processing_speed']), 'isTimestamp' => false);
if (isset($arrayFromJson['event_processing_speed'])) {
$io[_('Event processing speed')] = array(
'value' => sprintf("%.2f events/s", $arrayFromJson['event_processing_speed']),
'isTimestamp' => false
);
}

if (isset($arryFromJson['queue file']) && isset($arryFromJson['queue file enabled']) && $arryFromJson['queue file enabled'] != "no") {
$io[_('Queue file')] = array('value' => $arryFromJson['queue file'], 'isTimestamp' => false);
if (
isset($arrayFromJson['queue file'])
&& isset($arrayFromJson['queue file enabled'])
&& $arrayFromJson['queue file enabled'] != "no"
) {
$io[_('Queue file')] = array(
'value' => $arrayFromJson['queue file'],
'isTimestamp' => false
);
}

if (isset($arryFromJson['queue file enabled'])) {
$io[_('Queued file enabled')] = array('value' => $arryFromJson['queue file enabled'], 'isTimestamp' => false);
if (isset($arrayFromJson['queue file enabled'])) {
$io[_('Queued file enabled')] = array('value' => $arrayFromJson['queue file enabled'], 'isTimestamp' => false);
}

if (isset($arryFromJson['queued_events'])) {
$io[_('Queued events')] = array('value' => $arryFromJson['queued_events'], 'isTimestamp' => false);
if (isset($arrayFromJson['queued_events'])) {
$io[_('Queued events')] = array('value' => $arrayFromJson['queued_events'], 'isTimestamp' => false);
}

if (isset($arryFromJson['memory file'])) {
$io[_('Memory file')] = array('value' => $arryFromJson['memory file'], 'isTimestamp' => false);
if (isset($arrayFromJson['memory file'])) {
$io[_('Memory file')] = array('value' => $arrayFromJson['memory file'], 'isTimestamp' => false);
}

if (isset($arryFromJson['read_filters']) && $arryFromJson['read_filters']) {
if ($arryFromJson['read_filters'] != 'all') {
$io[_('Input accepted events type')] = array('value' => substr($arryFromJson['read_filters'], 22), 'isTimestamp' => false);
if (isset($arrayFromJson['read_filters']) && $arrayFromJson['read_filters']) {
if ($arrayFromJson['read_filters'] != 'all') {
$io[_('Input accepted events type')] = array(
'value' => substr($arrayFromJson['read_filters'], 22),
'isTimestamp' => false
);
} else {
$io[_('Input accepted events type')] = array('value' => $arryFromJson['read_filters'], 'isTimestamp' => false);
$io[_('Input accepted events type')] = array(
'value' => $arrayFromJson['read_filters'],
'isTimestamp' => false
);
}
}

if (isset($arryFromJson['write_filters']) && $arryFromJson['write_filters']) {
if ($arryFromJson['write_filters'] != 'all') {
$io[_('Output accepted events type')] = array('value' => substr($arryFromJson['write_filters'], 2), 'isTimestamp' => false);
if (isset($arrayFromJson['write_filters']) && $arrayFromJson['write_filters']) {
if ($arrayFromJson['write_filters'] != 'all') {
$io[_('Output accepted events type')] = array(
'value' => substr($arrayFromJson['write_filters'], 2),
'isTimestamp' => false
);
} else {
$io[_('Output accepted events type')] = array('value' => $arryFromJson['write_filters'], 'isTimestamp' => false);
$io[_('Output accepted events type')] = array(
'value' => $arrayFromJson['write_filters'],
'isTimestamp' => false
);
}
}

Expand All @@ -136,7 +170,10 @@ function parseStatsFile($statfile)
$matches[1] = "external-commands";
}

if ((preg_match('/.*external commands.*/', $key) && $json_stats[$key]['state'] != "disconnected") || (!preg_match('/.*external commands.*/', $key))) {
if (
(preg_match('/.*external commands.*/', $key) && $json_stats[$key]['state'] != "disconnected")
|| !preg_match('/.*external commands.*/', $key)
) {
$keySepByDash = explode('-', $key);
$keySepBySpace = explode(' ', $key);
$result['io'][$matches[1]] = createArrayStats($json_stats[$key]);
Expand All @@ -148,7 +185,12 @@ function parseStatsFile($statfile)
/* force type of io */
if (preg_match('/.*external commands.*/', $key)) {
$result['io'][$matches[1]]['type'] = 'input';
} elseif (preg_match('/.*(central-broker-master-sql|centreon-broker-master-rrd|central-broker-master-perfdata).*/', $key)) {
} elseif (
preg_match(
'/.*(central-broker-master-sql|centreon-broker-master-rrd|central-broker-master-perfdata).*/',
$key
)
) {
$result['io'][$matches[1]]['type'] = 'output';
} elseif (preg_match('/.*(centreon-bam-monitoring|centreon-bam-reporting).*/', $key)) {
$result['io'][$matches[1]]['type'] = 'output';
Expand Down Expand Up @@ -211,7 +253,9 @@ function parseStatsFile($statfile)
/*
* Get poller ID
*/
isset($_POST['pollers']) && $_POST['pollers'] != "" ? $selectedPoller = $_POST['pollers'] : $selectedPoller = $defaultPoller;
isset($_POST['pollers']) && $_POST['pollers'] != ""
? $selectedPoller = $_POST['pollers']
: $selectedPoller = $defaultPoller;
if (!isset($selectedPoller)) {
$tmpKeys = array_keys($pollerList);
$selectedPoller = $tmpKeys[0];
Expand Down Expand Up @@ -267,7 +311,15 @@ function parseStatsFile($statfile)
if ($defaultPoller != $selectedPoller) {
$statsfile = _CENTREON_VARLIB_ . '/broker-stats/broker-stats-' . $selectedPoller . '.dat';
}
if (!file_exists($statsfile) || !is_readable($statsfile)) {

/**
* check if file exists, is readable and inside proper folder
*/
if (
!file_exists($statsfile)
|| !is_readable($statsfile)
|| (substr(realpath($statsfile), 0, strlen(_CENTREON_VARLIB_)) !== _CENTREON_VARLIB_ )
) {
$perf_err[$row['config_name']] = _('Cannot open statistics file');
} else {
$perf_info[$row['config_name']] = parseStatsFile($statsfile);
Expand Down

0 comments on commit 9f76e8c

Please sign in to comment.