From a8828dfe8df9a3706cc42ce30b7728ac9c6a0174 Mon Sep 17 00:00:00 2001
From: Laurent Pinsivy <lpinsivy@gmail.com>
Date: Wed, 3 Apr 2019 09:40:17 +0200
Subject: [PATCH] fix(status details): Fix hide password in command line
 (#7079)

---
 .../monitoring/objectDetails/common-func.php  | 141 +++++++++++-------
 1 file changed, 86 insertions(+), 55 deletions(-)

diff --git a/www/include/monitoring/objectDetails/common-func.php b/www/include/monitoring/objectDetails/common-func.php
index 407917d640e..0d8206d6e84 100644
--- a/www/include/monitoring/objectDetails/common-func.php
+++ b/www/include/monitoring/objectDetails/common-func.php
@@ -1,7 +1,7 @@
 <?php
-/*
- * Copyright 2005-2016 Centreon
- * Centreon is developped by : Julien Mathis and Romain Le Merlus under
+/**
+ * Copyright 2005-2019 Centreon
+ * Centreon is developed by : Julien Mathis and Romain Le Merlus under
  * GPL Licence 2.0.
  *
  * This program is free software; you can redistribute it and/or modify it under
@@ -35,6 +35,15 @@
 
 require_once $centreon_path . "www/class/centreonHost.class.php";
 
+/**
+ * Hide value of custom macros defined as password
+ * 
+ * @param string $command_name The name of the command
+ * @param int    $host_id      The ID of the host
+ * @param int    $service_id   The ID of the service
+ * 
+ * @return string
+ */
 function hidePasswordInCommand($command_name, $host_id, $service_id)
 {
     global $pearDB;
@@ -45,101 +54,123 @@ function hidePasswordInCommand($command_name, $host_id, $service_id)
 
     $pearDBStorage = new CentreonDB('centstorage');
 
+    /* Get command line with macro */
+    $query_command_line = "SELECT command_line FROM command WHERE command_name = '" .
+    $pearDB->escape($command_name) . "'";
+    $res = $pearDB->query($query_command_line);
+    $row = $res->fetchRow();
+    $command_line_with_macro = $row['command_line'];
+
     /* Get executed command lines */
-    $query_command_name = "SELECT host_id, check_command, command_line " .
-        "FROM services " .
-        "WHERE host_id = '" . $host_id . "' " .
-        "AND service_id = '" . $service_id . "'";
+    $query_command_name = "SELECT host_id, check_command, command_line "
+        . "FROM services "
+        . "WHERE host_id = '" . $host_id . "' "
+        . "AND service_id = '" . $service_id . "'";
     $res = $pearDBStorage->query($query_command_name);
     $row = $res->fetchRow();
-
     $executed_check_command = $row['command_line'];
-    $host_id = $row['host_id'];
 
+    /* Get list of templates */
     $arrtSvcTpl = getListTemplates($pearDB, $service_id);
     $arrSvcTplID = array($service_id);
     foreach ($arrtSvcTpl as $svc) {
         $arrSvcTplID[] = $svc['service_id'];
     }
 
+    /* Get list of custom macros from services and templates */
     $query_custom_macro_svc = "SELECT svc_macro_name "
         . "FROM on_demand_macro_service "
         . "WHERE is_password = 1 "
         . "AND svc_svc_id IN ('" . implode('\', \'', $arrSvcTplID) . "')";
     $res = $pearDB->query($query_custom_macro_svc);
+
     $arrMacroPassword = array();
     while ($row = $res->fetchRow()) {
-        $arrMacroPassword = array_merge($arrMacroPassword, array($row['svc_macro_name']));
+        $arrMacroPassword = array_merge (
+            $arrMacroPassword, 
+            array($row['svc_macro_name'])
+        );
+        $executed_check_command = getOptionName(
+            $command_line_with_macro, 
+            $executed_check_command, 
+            $row['svc_macro_name']
+        );
     }
 
     /* Get custom macros from hosts and templates */
     $query_custom_macro_host = "SELECT host_macro_name "
         . "FROM on_demand_macro_host "
         . "WHERE is_password = 1 "
-        . "AND host_host_id IN('" . implode('\', \'', getHostsTemplates($host_id)) . "')";
+        . "AND host_host_id IN ('" . implode('\', \'', getHostsTemplates($host_id)) . "')";
     $res = $pearDB->query($query_custom_macro_host);
-    while ($row = $res->fetchRow()) {
-        $arrMacroPassword = array_merge($arrMacroPassword, array($row['host_macro_name']));
-    }
-
-    $commandWithoutArg = explode('!', $command_name);
-    $command_name = $commandWithoutArg[0];
 
-    /* Get command line with macro */
-    $query_command_line = "SELECT command_line FROM command WHERE command_name = '" .
-        $pearDB->escape($command_name) . "'";
-    $res = $pearDB->query($query_command_line);
-    $row = $res->fetchRow();
-    $command_line_with_macro = $row['command_line'];
-
-    /* Replace password by stars */
-    $command_line_with_macro = str_replace('/', '\/', $command_line_with_macro);
-    $command_line_with_macro = str_replace('-', '\-', $command_line_with_macro);
-    $command_line_with_macro = str_replace('.', '\.', $command_line_with_macro);
-    $command_line_with_macro = preg_replace('/\$USER\d+\$\\//', '.*', $command_line_with_macro);
-    $command_line_with_macro = preg_replace('/\$CENTREONPLUGINS\$\\//', '.*', $command_line_with_macro);
-
-    foreach ($arrMacroPassword as $macro) {
-        $pattern = str_replace('$', '\$', $macro);
-        // If '$_MACRO$'
-        $command_line_with_macro = preg_replace('/\'' . $pattern . '\'/', '(\'.*\')', $command_line_with_macro);
-        // Else $_MACRO$
-        $command_line_with_macro = preg_replace('/' . $pattern . '/', '(.*)', $command_line_with_macro);
+    while ($row = $res->fetchRow()) {
+        $arrMacroPassword = array_merge(
+            $arrMacroPassword, 
+            array($row['host_macro_name'])
+        );
+        $executed_check_command = getOptionName(
+            $command_line_with_macro, 
+            $executed_check_command, 
+            $row['host_macro_name']
+        );
     }
 
-    $command_line_with_macro = preg_replace('/\$[^$]+\$/', '.*', $command_line_with_macro);
-
-    // Remove dual '.*' at the end of command due to $_SERVICEEXTRAOPTIONS$ for example
-    if (preg_match("/\.\*'?\s?\.\*$/", $command_line_with_macro)) {
-        $command_line_with_macro = preg_replace("/\.\*\s?\.\*$/", '.*', $command_line_with_macro);
-        $command_line_with_macro = preg_replace("/\.\*'\s?\.\*$/", ".*'", $command_line_with_macro);
-    }
+    return $executed_check_command;
+}
 
-    if (preg_match('/' . $command_line_with_macro . '/', $executed_check_command, $matches)) {
-        for ($i = 1; $i <= count($matches); $i++) {
-            if (isset($matches[$i])) {
-                $executed_check_command = str_replace($matches[$i], '***', $executed_check_command);
-            }
+/**
+ * Get the name of the option in the command line corresponding 
+ * to the custom macro password type 
+ *
+ * @param string $command_with_macro Configuration command line
+ * @param string $executed_command   Executed command line
+ * @param string $macro              The custom macro password type
+ * 
+ * @return string
+ */
+function getOptionName($command_with_macro, $executed_command, $macro) {
+    $macro = str_replace('$', '\$', $macro);
+    $pattern = "/(\-\-?[a-zA-Z0-9\-\_]+=?\W+?)\'?" . $macro . "\'?/";
+    if (preg_match($pattern, $command_with_macro, $matches)) {
+        for ($i = 1; $i < count($matches); $i++) {
+            /* Prepare pattern */
+            $pattern = $matches[$i];
+            $pattern = str_replace('/', '\/', $pattern);
+            $pattern = str_replace('-', '\-', $pattern);
+            $pattern = str_replace('.', '\.', $pattern);
+            $pattern = "/(.*\s)?" . $pattern . "\'?([\\x21-\\x7E]+)\'?(\s.*)?/";
+             /* Replace value of custom macro password type 
+                in executed command line */
+            $executed_command = preg_replace($pattern, "\$1" . $matches[$i] . "***\$3", $executed_command);
         }
     }
 
-    return $executed_check_command;
+    return $executed_command;
 }
 
-
-function getHostsTemplates($host_id)
-{
+/**
+ * Get the list of hosttemplate ID of an host 
+ * 
+ * @param int $host_id The ID of the host
+ * 
+ * @return array
+ */
+function getHostsTemplates($host_id) {
     $pearDBCentreon = new CentreonDB();
 
     $query = "SELECT host_tpl_id FROM host_template_relation "
         . "WHERE host_host_id = '" . $host_id . "'";
     $res = $pearDBCentreon->query($query);
-    if ($res->rowCount() == 0) {
+    if ($res->numRows() == 0) {
         return array($host_id);
     } else {
         $arrHostTpl = array();
         while ($row = $res->fetchRow()) {
-            $arrHostTpl = array_merge($arrHostTpl, getHostsTemplates($row['host_tpl_id']));
+            $arrHostTpl = array_merge(
+                $arrHostTpl, 
+                getHostsTemplates($row['host_tpl_id'])
+            );
             $arrHostTpl = array_merge($arrHostTpl, array($host_id));
         }
         return $arrHostTpl;