From 8f585bd2eed7900d08cdff946f3ac830d3de12f1 Mon Sep 17 00:00:00 2001
From: Julian Brost <julian.brost@icinga.com>
Date: Mon, 7 Jun 2021 17:15:00 +0200
Subject: [PATCH] event::ExecuteCommand: add missing origin check

Only handle messages with a trusted origin in
ClusterEvents::ExecuteCommandAPIHandler. Previously, it would not locally
execute any command but forward them to other nodes where they would then have
a trusted origin and be executed.
---
 lib/icinga/clusterevents.cpp | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/lib/icinga/clusterevents.cpp b/lib/icinga/clusterevents.cpp
index 4db3d76bf..0bb4a06a0 100644
--- a/lib/icinga/clusterevents.cpp
+++ b/lib/icinga/clusterevents.cpp
@@ -736,6 +736,31 @@ Value ClusterEvents::ExecuteCommandAPIHandler(const MessageOrigin::Ptr& origin,
 	if (!listener)
 		return Empty;
 
+	if (!origin->IsLocal()) {
+		Endpoint::Ptr endpoint = origin->FromClient->GetEndpoint();
+
+		/* Discard messages from anonymous clients */
+		if (!endpoint) {
+			Log(LogNotice, "ClusterEvents") << "Discarding 'execute command' message from '"
+				<< origin->FromClient->GetIdentity() << "': Invalid endpoint origin (client not allowed).";
+			return Empty;
+		}
+
+		Zone::Ptr originZone = endpoint->GetZone();
+
+		Zone::Ptr localZone = Zone::GetLocalZone();
+		bool fromLocalZone = originZone == localZone;
+
+		Zone::Ptr parentZone = localZone->GetParent();
+		bool fromParentZone = parentZone && originZone == parentZone;
+
+		if (!fromLocalZone && !fromParentZone) {
+			Log(LogNotice, "ClusterEvents") << "Discarding 'execute command' message from '"
+				<< origin->FromClient->GetIdentity() << "': Unauthorized access.";
+			return Empty;
+		}
+	}
+
 	if (params->Contains("endpoint")) {
 		Endpoint::Ptr execEndpoint = Endpoint::GetByName(params->Get("endpoint"));