Soap XML Check via Nagios check_http

I would like to do a soap/xml check against a web server and it appears the parameters are “cleaned” through php Purify and it’s stripping the xml out of the request. If I run the command from the CLI it works fine. If I use the straight XML and turn on the verbose logging, I can see it strip all of the XML and just leave the actual data piece. If I try to encode the XML the web server sees it as a text string and doesn’t know what to do with the data (aka no “<soap…” just “&lt…”. If I comment out the purify line in /includes/ it works fine, but when the next code release comes along it will re-enable purify and break all of my soap/xml monitoring.

Here’s my CLI command that works:

/usr/lib64/nagios/plugins/check_http -H host -I host -S -w 3 -c 5 -u /InfoService -T ‘text/xml’ -P ‘<soapenv:Envelope xmlns:soapenv=“” xmlns:ser=“”>soapenv:Header/soapenv:Bodyser:invokeGetDatacc:123456</ser:invokeGetData></soapenv:Body></soapenv:Envelope>’ -R ‘cc:123456’ -v

Any suggestions?

I really don’t understand why LibreNMS runs html purifier there…

shouldn’t it use escapeshellcmd()?

Not sure. I found a few posts discussing this:

I get that the parameters is trying to protect the system from bad parameters being passed but for my internal system if there was a way to do a bypass (where I accept security responsibility) that would be great. Could a setting in config.php be added where the parameters are not scrubbed/modified? I have really enjoyed this tool and this would keep me from introducing another tool or disabling updates because I modified the code.

I took a look at sanitizing it properly (hint it is not being sanitized properly now).

The problem is the options are specified as a string and more than one can be specified.

try adding ; cat /etc/passwd to the parameters field…