Soap XML Check via Nagios check_http

frosty · 24 September 2018 16:07

I would like to do a soap/xml check against a web server and it appears the parameters are “cleaned” through php Purify and it’s stripping the xml out of the request. If I run the command from the CLI it works fine. If I use the straight XML and turn on the verbose logging, I can see it strip all of the XML and just leave the actual data piece. If I try to encode the XML the web server sees it as a text string and doesn’t know what to do with the data (aka no “<soap…” just “&lt…”. If I comment out the purify line in /includes/services.inc.php it works fine, but when the next code release comes along it will re-enable purify and break all of my soap/xml monitoring.

Here’s my CLI command that works:

/usr/lib64/nagios/plugins/check_http -H host -I host -S -w 3 -c 5 -u /InfoService -T ‘text/xml’ -P ‘<soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:ser=“http://service.app.pg.com/”>soapenv:Header/soapenv:Body ser:invokeGetDatacc:123456</ser:invokeGetData></soapenv:Body></soapenv:Envelope>’ -R ‘cc:123456’ -v

Any suggestions?

murrant · 26 September 2018 19:59

I really don’t understand why LibreNMS runs html purifier there…

shouldn’t it use escapeshellcmd()?

frosty · 27 September 2018 13:24

Not sure. I found a few posts discussing this:

github.com/librenms/librenms

services.inc.php is escaping things, causing issues with services that allow things like regex as arguments

opened 11:08PM - 03 Nov 16 UTC

closed 12:25PM - 16 Feb 17 UTC

Gorian

Bug

DO NOT DELETE THIS INFORMATION. > Please read this information carefully. …GitHub issues is for feature requests or bugs, please do not post issues asking for help or how to do X, Y or Z. You can use our irc channel ##librenms on freenode to ask questions or our [community site](https://community.librenms.org). - [x] Is your install up to date? [Updating your install](http://docs.librenms.org/General/Updating/) Please do not submit an issue if your install is not up to date within the last 24 hours or on a stable monthly release. - [x] Please include all of the information between the `====================================` section of `./validate.php`. - [ ] If you would like us to add a new device then please provide the information asked for [here](http://docs.librenms.org/Support/FAQ/#faq20) - [x] Please provide as much detail as possible. Component|Version -------------|------------- LibreNMS | 6bed6cbea187b1a59b3cd049a3aa29ca6081723d DB Schema | 148 PHP | 7.0.11 MySQL | 5.5.50-MariaDB RRDTool | 1.4.8 SNMP | NET-SNMP 5.7.2 https://github.com/librenms/librenms/blob/master/includes/services.inc.php#L206 the check_service function runs the check command through `escapeshellcmd`, which escapes all the things for safe execution. This is great, except that some services, like check_http include a `--regex` option. In my case, I have a REST API that returns an empty set in json, like `{"C":"V"}`. I want check_http to return OK if it receives this response. the argument `--regex="\{\"C\"\:\"V\"\}"` does exactly what I want, however the regex string is being escaped by `escapeshellcmd`, resulting in the following instead: `--regex=\{"C":"V"\}` You can see here: ![image](https://cloud.githubusercontent.com/assets/1012176/19988646/8d833de4-a1de-11e6-963c-f91d7f119a05.png) if there was a way to safely escape user input, while allowing service checks with more complex arguments,that would be awesome. Full service_params string: `--ssl --method="POST" --content-type="application/json" --url="/query" --regex="\{\"C\":\"V\"\}"` Command working correctly in CLI: ![image](https://cloud.githubusercontent.com/assets/1012176/19988890/25866e58-a1e0-11e6-872d-1efc6927cb8a.png)

I get that the parameters is trying to protect the system from bad parameters being passed but for my internal system if there was a way to do a bypass (where I accept security responsibility) that would be great. Could a setting in config.php be added where the parameters are not scrubbed/modified? I have really enjoyed this tool and this would keep me from introducing another tool or disabling updates because I modified the code.

murrant · 27 September 2018 19:48

I took a look at sanitizing it properly (hint it is not being sanitized properly now).

The problem is the options are specified as a string and more than one can be specified.

try adding ; cat /etc/passwd to the parameters field…

system · 12 October 2021 13:11