23 May
2022
23 May
'22
6:53 a.m.
Branch: refs/heads/2.1.0
Home: https://github.com/tribe29/checkmk
Commit: 0640da6391fee5ac96a5f17c043dc8fb39ae2bcc
https://github.com/tribe29/checkmk/commit/0640da6391fee5ac96a5f17c043dc8fb3…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-05-23 (Mon, 23 May 2022)
Changed paths:
A .werks/13724
M cmk/ec/actions.py
M cmk/gui/wato/mkeventd.py
M cmk/update_config.py
Log Message:
-----------
13724 SEC Remove legacy macro expansion in Event Console script actions
The Event Console is able to execute actions, e.g. shell scripts, when opening
or cancelling events. Details of the events are available to the script via
environment variables <tt>CMK_</tt> as described in the user manual
(https://docs.checkmk.com/latest/en/ec.html#_shell_scripts_and_emails). This
mechanism will keep working as before.
However, there is a second undocumented mechanism which relies on macro
expansion in the shell scripts. Previously it was possible to use macros (e.g.
<tt>$HOST$</tt>) in the <i>Event Console</i> scripts. These were
replaced
before executing the script. The values of these macros can be untrusted input
and lead to command injections. You are only affected by this issue, if your
scripts use the macro expansion.
With this incompatible change we remove the macro expansion mechanism for
security reasons. The site update mechanism tries to detect Event Console
actions using these macros, disables the actions and informs you about this
change. The output of an <tt>omd update</tt> for a rule being disabled would
look like this:
C+:
"Script 'some_action_id' uses macros. We disable it. Please replace the
macros
with proper variables before enabling it again!"
C-:
If you use the <i>Event Console</i> with shell script actions you should
check
your scripts for macros and replace them with the documented environment
variable approach (Setup > Events > Event Console rule packs > Event Console
configuration > Event Console configuration). You can access all macro values
with environment variables (they are prefixed with <tt>CMK_</tt>).
Change-Id: Ia587b19575003c6f501dc4fe5066af1781a7fef8