From 930ac9bf11eb04545220308366429becaef6d817 Mon Sep 17 00:00:00 2001 From: qgarnier Date: Fri, 10 Sep 2021 16:01:09 +0200 Subject: [PATCH] secure(nrpe): ssl-options use safe module (#3097) --- centreon-plugins/centreon/plugins/nrpe.pm | 62 ++++++++++++++++++--- centreon-plugins/centreon/plugins/output.pm | 2 + 2 files changed, 55 insertions(+), 9 deletions(-) diff --git a/centreon-plugins/centreon/plugins/nrpe.pm b/centreon-plugins/centreon/plugins/nrpe.pm index a389ec47a..77de36089 100644 --- a/centreon-plugins/centreon/plugins/nrpe.pm +++ b/centreon-plugins/centreon/plugins/nrpe.pm @@ -22,6 +22,7 @@ package centreon::plugins::nrpe; use strict; use warnings; +use centreon::plugins::misc; use Convert::Binary::C; use Digest::CRC 'crc32'; use IO::Socket; @@ -87,22 +88,65 @@ sub check_options { $self->{nrpe_params}->{Domain} = AF_INET6; } - $self->{ssl_context} = ''; - my $append = ''; + $self->{ssl_context} = {}; foreach (@{$options{option_results}->{ssl_opt}}) { - if ($_ ne '' && $_ =~ /.*=>.*/) { - $self->{ssl_context} .= $append . $_; - $append = ', '; + if (/(SSL_[A-Za-z_]+)\s+=>\s*(\S+)/) { + my $value = $2; + $value = $self->assign_eval(eval => $value); + $self->{ssl_context}->{$1} = $value; } } } +sub load_eval { + my ($self) = @_; + + my ($code) = centreon::plugins::misc::mymodule_load( + output => $self->{output}, module => 'Safe', + no_quit => 1 + ); + if ($code == 0) { + $self->{safe} = Safe->new(); + $self->{safe}->permit_only(':base_core', 'rv2gv', 'padany'); + $self->{safe}->share('$values'); + $self->{safe}->share('$assign_var'); + $self->{safe}->share_from('IO::Socket::SSL', [ + 'SSL_VERIFY_NONE', 'SSL_VERIFY_PEER', 'SSL_VERIFY_FAIL_IF_NO_PEER_CERT', 'SSL_VERIFY_CLIENT_ONCE', + 'SSL_RECEIVED_SHUTDOWN', 'SSL_SENT_SHUTDOWN', + 'SSL_OCSP_NO_STAPLE', 'SSL_OCSP_MUST_STAPLE', 'SSL_OCSP_FAIL_HARD', 'SSL_OCSP_FULL_CHAIN', 'SSL_OCSP_TRY_STAPLE' + ]); + } + + $self->{safe_test} = 1; +} + +sub assign_eval { + my ($self, %options) = @_; + + $self->load_eval() if (!defined($self->{safe_test}) || $self->{safe_test} == 0); + + our $assign_var; + if (defined($self->{safe})) { + our $values = $options{values}; + $self->{safe}->reval("\$assign_var = $options{eval}", 1); + if ($@) { + die 'Unsafe code evaluation: ' . $@; + } + } else { + my $values = $options{values}; + eval "\$assign_var = $options{eval}"; + } + + return $assign_var; +} + + sub create_socket { my ($self, %options) = @_; my $socket; - if ($self->{ssl_context} ne '') { - $socket = IO::Socket::SSL->new(%{$self->{nrpe_params}}, eval $self->{ssl_context}); + if (scalar(keys %{$self->{ssl_context}} > 0)) { + $socket = IO::Socket::SSL->new(%{$self->{nrpe_params}}, %{$self->{ssl_context}}); if (!$socket) { $self->{output}->add_option_msg(short_msg => "Failed to establish SSL connection: $!, ssl_error=$SSL_ERROR"); $self->{output}->option_exit(); @@ -454,8 +498,8 @@ Timeout in secondes (Default: 10). =item B<--ssl-opt> -Set SSL Options (--ssl-opt="SSL_version => 'TLSv1'" --ssl-opt="SSL_verify_mode => 0" ---ssl-opt="SSL_cipher_list => ALL"). +Set SSL Options (--ssl-opt="SSL_version => 'TLSv1'" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" +--ssl-opt="SSL_cipher_list => 'ALL'"). =back diff --git a/centreon-plugins/centreon/plugins/output.pm b/centreon-plugins/centreon/plugins/output.pm index 79f843ffe..098b0c93e 100644 --- a/centreon-plugins/centreon/plugins/output.pm +++ b/centreon-plugins/centreon/plugins/output.pm @@ -911,6 +911,8 @@ sub load_eval { $self->{safe}->share('$values'); $self->{safe}->share('$assign_var'); } + + $self->{safe_test} = 1; } sub test_eval {