Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
fix(status details): Fix hide password in command line (#7079)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lpinsivy
lpinsivy authored Apr 3, 2019
1 parent a1c9d78 commit a8828df
Showing 1 changed file with 86 additions and 55 deletions.
141 changes: 86 additions & 55 deletions www/include/monitoring/objectDetails/common-func.php
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php
/*
* Copyright 2005-2016 Centreon
* Centreon is developped by : Julien Mathis and Romain Le Merlus under
/**
* Copyright 2005-2019 Centreon
* Centreon is developed by : Julien Mathis and Romain Le Merlus under
* GPL Licence 2.0.
*
* This program is free software; you can redistribute it and/or modify it under
Expand Down Expand Up @@ -35,6 +35,15 @@

require_once $centreon_path . "www/class/centreonHost.class.php";

/**
* Hide value of custom macros defined as password
*
* @param string $command_name The name of the command
* @param int $host_id The ID of the host
* @param int $service_id The ID of the service
*
* @return string
*/
function hidePasswordInCommand($command_name, $host_id, $service_id)
{
global $pearDB;
Expand All @@ -45,101 +54,123 @@ function hidePasswordInCommand($command_name, $host_id, $service_id)

$pearDBStorage = new CentreonDB('centstorage');

/* Get command line with macro */
$query_command_line = "SELECT command_line FROM command WHERE command_name = '" .
$pearDB->escape($command_name) . "'";
$res = $pearDB->query($query_command_line);
$row = $res->fetchRow();
$command_line_with_macro = $row['command_line'];

/* Get executed command lines */
$query_command_name = "SELECT host_id, check_command, command_line " .
"FROM services " .
"WHERE host_id = '" . $host_id . "' " .
"AND service_id = '" . $service_id . "'";
$query_command_name = "SELECT host_id, check_command, command_line "
. "FROM services "
. "WHERE host_id = '" . $host_id . "' "
. "AND service_id = '" . $service_id . "'";
$res = $pearDBStorage->query($query_command_name);
$row = $res->fetchRow();

$executed_check_command = $row['command_line'];
$host_id = $row['host_id'];

/* Get list of templates */
$arrtSvcTpl = getListTemplates($pearDB, $service_id);
$arrSvcTplID = array($service_id);
foreach ($arrtSvcTpl as $svc) {
$arrSvcTplID[] = $svc['service_id'];
}

/* Get list of custom macros from services and templates */
$query_custom_macro_svc = "SELECT svc_macro_name "
. "FROM on_demand_macro_service "
. "WHERE is_password = 1 "
. "AND svc_svc_id IN ('" . implode('\', \'', $arrSvcTplID) . "')";
$res = $pearDB->query($query_custom_macro_svc);

$arrMacroPassword = array();
while ($row = $res->fetchRow()) {
$arrMacroPassword = array_merge($arrMacroPassword, array($row['svc_macro_name']));
$arrMacroPassword = array_merge (
$arrMacroPassword,
array($row['svc_macro_name'])
);
$executed_check_command = getOptionName(
$command_line_with_macro,
$executed_check_command,
$row['svc_macro_name']
);
}

/* Get custom macros from hosts and templates */
$query_custom_macro_host = "SELECT host_macro_name "
. "FROM on_demand_macro_host "
. "WHERE is_password = 1 "
. "AND host_host_id IN('" . implode('\', \'', getHostsTemplates($host_id)) . "')";
. "AND host_host_id IN ('" . implode('\', \'', getHostsTemplates($host_id)) . "')";
$res = $pearDB->query($query_custom_macro_host);
while ($row = $res->fetchRow()) {
$arrMacroPassword = array_merge($arrMacroPassword, array($row['host_macro_name']));
}

$commandWithoutArg = explode('!', $command_name);
$command_name = $commandWithoutArg[0];

/* Get command line with macro */
$query_command_line = "SELECT command_line FROM command WHERE command_name = '" .
$pearDB->escape($command_name) . "'";
$res = $pearDB->query($query_command_line);
$row = $res->fetchRow();
$command_line_with_macro = $row['command_line'];

/* Replace password by stars */
$command_line_with_macro = str_replace('/', '\/', $command_line_with_macro);
$command_line_with_macro = str_replace('-', '\-', $command_line_with_macro);
$command_line_with_macro = str_replace('.', '\.', $command_line_with_macro);
$command_line_with_macro = preg_replace('/\$USER\d+\$\\//', '.*', $command_line_with_macro);
$command_line_with_macro = preg_replace('/\$CENTREONPLUGINS\$\\//', '.*', $command_line_with_macro);

foreach ($arrMacroPassword as $macro) {
$pattern = str_replace('$', '\$', $macro);
// If '$_MACRO$'
$command_line_with_macro = preg_replace('/\'' . $pattern . '\'/', '(\'.*\')', $command_line_with_macro);
// Else $_MACRO$
$command_line_with_macro = preg_replace('/' . $pattern . '/', '(.*)', $command_line_with_macro);
while ($row = $res->fetchRow()) {
$arrMacroPassword = array_merge(
$arrMacroPassword,
array($row['host_macro_name'])
);
$executed_check_command = getOptionName(
$command_line_with_macro,
$executed_check_command,
$row['host_macro_name']
);
}

$command_line_with_macro = preg_replace('/\$[^$]+\$/', '.*', $command_line_with_macro);

// Remove dual '.*' at the end of command due to $_SERVICEEXTRAOPTIONS$ for example
if (preg_match("/\.\*'?\s?\.\*$/", $command_line_with_macro)) {
$command_line_with_macro = preg_replace("/\.\*\s?\.\*$/", '.*', $command_line_with_macro);
$command_line_with_macro = preg_replace("/\.\*'\s?\.\*$/", ".*'", $command_line_with_macro);
}
return $executed_check_command;
}

if (preg_match('/' . $command_line_with_macro . '/', $executed_check_command, $matches)) {
for ($i = 1; $i <= count($matches); $i++) {
if (isset($matches[$i])) {
$executed_check_command = str_replace($matches[$i], '***', $executed_check_command);
}
/**
* Get the name of the option in the command line corresponding
* to the custom macro password type
*
* @param string $command_with_macro Configuration command line
* @param string $executed_command Executed command line
* @param string $macro The custom macro password type
*
* @return string
*/
function getOptionName($command_with_macro, $executed_command, $macro) {
$macro = str_replace('$', '\$', $macro);
$pattern = "/(\-\-?[a-zA-Z0-9\-\_]+=?\W+?)\'?" . $macro . "\'?/";
if (preg_match($pattern, $command_with_macro, $matches)) {
for ($i = 1; $i < count($matches); $i++) {
/* Prepare pattern */
$pattern = $matches[$i];
$pattern = str_replace('/', '\/', $pattern);
$pattern = str_replace('-', '\-', $pattern);
$pattern = str_replace('.', '\.', $pattern);
$pattern = "/(.*\s)?" . $pattern . "\'?([\\x21-\\x7E]+)\'?(\s.*)?/";
/* Replace value of custom macro password type
in executed command line */
$executed_command = preg_replace($pattern, "\$1" . $matches[$i] . "***\$3", $executed_command);
}
}

return $executed_check_command;
return $executed_command;
}


function getHostsTemplates($host_id)
{
/**
* Get the list of hosttemplate ID of an host
*
* @param int $host_id The ID of the host
*
* @return array
*/
function getHostsTemplates($host_id) {
$pearDBCentreon = new CentreonDB();

$query = "SELECT host_tpl_id FROM host_template_relation "
. "WHERE host_host_id = '" . $host_id . "'";
$res = $pearDBCentreon->query($query);
if ($res->rowCount() == 0) {
if ($res->numRows() == 0) {
return array($host_id);
} else {
$arrHostTpl = array();
while ($row = $res->fetchRow()) {
$arrHostTpl = array_merge($arrHostTpl, getHostsTemplates($row['host_tpl_id']));
$arrHostTpl = array_merge(
$arrHostTpl,
getHostsTemplates($row['host_tpl_id'])
);
$arrHostTpl = array_merge($arrHostTpl, array($host_id));
}
return $arrHostTpl;
Expand Down

0 comments on commit a8828df

Please sign in to comment.