monitoring: Ensure cvs are also protected in exported results

2021-02-02 16:39:28 +01:00 · 2021-02-02 16:39:28 +01:00 · 9c1e4fa491
parent b48fc20edf
commit 9c1e4fa491
2 changed files with 37 additions and 2 deletions
--- a/modules/monitoring/library/Monitoring/Controller.php
+++ b/modules/monitoring/library/Monitoring/Controller.php
@ -3,11 +3,13 @@

 namespace Icinga\Module\Monitoring;

+use ArrayIterator;
 use Icinga\Exception\ConfigurationError;
 use Icinga\Exception\QueryException;
 use Icinga\Data\Filter\Filter;
 use Icinga\Data\Filterable;
 use Icinga\File\Csv;
+use Icinga\Module\Monitoring\Data\CustomvarProtectionIterator;
 use Icinga\Util\Json;
 use Icinga\Web\Controller as IcingaWebController;
 use Icinga\Web\Url;
@ -60,7 +62,15 @@ class Controller extends IcingaWebController
                        'Content-Disposition',
                        'inline; filename=' . $this->getRequest()->getActionName() . '.json'
                    )
-                    ->appendBody(Json::sanitize($query->fetchAll()))
+                    ->appendBody(
+                        Json::sanitize(
+                            iterator_to_array(
+                                new CustomvarProtectionIterator(
+                                    new ArrayIterator($query->fetchAll())
+                                )
+                            )
+                        )
+                    )
                    ->sendResponse();
                exit;
            case 'csv':
@ -72,7 +82,7 @@ class Controller extends IcingaWebController
                        'Content-Disposition',
                        'attachment; filename=' . $this->getRequest()->getActionName() . '.csv'
                    )
-                    ->appendBody((string) Csv::fromQuery($query))
+                    ->appendBody((string) Csv::fromQuery(new CustomvarProtectionIterator($query)))
                    ->sendResponse();
                exit;
        }
--- a/modules/monitoring/library/Monitoring/Data/CustomvarProtectionIterator.php
+++ b/modules/monitoring/library/Monitoring/Data/CustomvarProtectionIterator.php
@ -0,0 +1,25 @@
+<?php
+/* Icinga Web 2 | (c) 2021 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Module\Monitoring\Data;
+
+use Icinga\Module\Monitoring\Object\MonitoredObject;
+use IteratorIterator;
+
+class CustomvarProtectionIterator extends IteratorIterator
+{
+    const IS_CV_RE = '~^_(host|service)_([a-zA-Z0-9_]+)$~';
+
+    public function current()
+    {
+        $row = parent::current();
+
+        foreach ($row as $col => $val) {
+            if (preg_match(self::IS_CV_RE, $col, $m)) {
+                $row->$col = MonitoredObject::protectCustomVars([$m[2] => $val])[$m[2]];
+            }
+        }
+
+        return $row;
+    }
+}