3845 FIX Added missing validation of host attribute values to WATO Web API calls - Checkmk git commits

29 Aug 2016

Module: check_mk
Branch: master
Commit: 36e295ec16e9451d778ed4baba8efae542663149
URL:   
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=36e295ec16e945…

Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt;
Date:   Mon Aug 29 10:20:13 2016 +0200

3845 FIX Added missing validation of host attribute values to WATO Web API calls

---

 .werks/3845                  |    9 +++++++++
 ChangeLog                    |    1 +
 web/htdocs/watolib.py        |   18 +++++++++++-------
 web/plugins/webapi/webapi.py |   16 +++++++++++++++-
 4 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/.werks/3845 b/.werks/3845
new file mode 100644
index 0000000..c10a6fc
--- /dev/null
+++ b/.werks/3845
@@ -0,0 +1,9 @@
+Title: Added missing validation of host attribute values to WATO Web API calls
+Level: 1
+Component: wato
+Compatible: compat
+Version: 1.4.0i1
+Date: 1472458792
+Class: fix
+
+
diff --git a/ChangeLog b/ChangeLog
index e4b923e..7f1086f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -573,6 +573,7 @@
     * 3757 FIX: Bulk import: Ensuring non ASCII characters are not imported into regular
attributes
     * 3760 FIX: Cluster nodes can not be nodes of their own anymore
     * 3844 FIX: Fixed validation of host IPv4, IPv6 and management host address
attributes...
+    * 3845 FIX: Added missing validation of host attribute values to WATO Web API calls
 
     Notifications:
     * 3263 Notifications: allow users to restrict by their contact groups...
diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py
index c758e5c..54b3647 100644
--- a/web/htdocs/watolib.py
+++ b/web/htdocs/watolib.py
@@ -2408,25 +2408,29 @@ class Attribute:
 
     # Check if the value entered by the user is valid.
     # This method may raise MKUserError in case of invalid user input.
-    def validate_input(self, varprefix):
+    def validate_input(self, value, varprefix):
         pass
 
+
     # If this attribute should be present in Nagios as
     # a host custom macro, then the value of that macro
     # should be returned here - otherwise None
     def to_nagios(self, value):
         return None
 
+
     # Checks if the give value matches the search attributes
     # that are represented by the current HTML variables.
     def filter_matches(self, crit, value, hostname):
         return crit == value
 
+
     # Host tags to set for this host
     def get_tag_list(self, value):
         return []
 
 
+
 # A simple text attribute. It is stored in
 # a Python unicode string
 class TextAttribute(Attribute):
@@ -2457,8 +2461,7 @@ class TextAttribute(Attribute):
             value = ""
         return value.strip()
 
-    def validate_input(self, varprefix):
-        value = self.from_html_vars(varprefix)
+    def validate_input(self, value, varprefix):
         if self._mandatory and not value:
             raise MKUserError(varprefix + "attr_" + self.name(),
                   _("Please specify a value for %s") % self.title())
@@ -2654,8 +2657,7 @@ class ValueSpecAttribute(Attribute):
     def from_html_vars(self, varprefix):
         return self._valuespec.from_html_vars(varprefix + self._name)
 
-    def validate_input(self, varprefix):
-        value = self.from_html_vars(varprefix)
+    def validate_input(self, value, varprefix):
         self._valuespec.validate_value(value, varprefix + self._name)
 
 
@@ -2922,10 +2924,12 @@ def collect_attributes(for_what, do_validate = True,
varprefix=""):
         if not html.var(for_what + "_change_%s" % attrname, False):
             continue
 
+        value = attr.from_html_vars(varprefix)
+
         if do_validate and attr.needs_validation(for_what):
-            attr.validate_input(varprefix)
+            attr.validate_input(value, varprefix)
 
-        host[attrname] = attr.from_html_vars(varprefix)
+        host[attrname] = value
     return host
 
 #.
diff --git a/web/plugins/webapi/webapi.py b/web/plugins/webapi/webapi.py
index 34387a7..a3de28c 100644
--- a/web/plugins/webapi/webapi.py
+++ b/web/plugins/webapi/webapi.py
@@ -31,17 +31,30 @@ def validate_request_keys(request, valid_keys):
         if key not in valid_keys:
             raise MKUserError(None, _("Invalid key: %s") % key)
 
+
 # Check if the given attribute name exists, no type check
 def validate_general_host_attributes(host_attributes):
-    # inventory_failed and site are no "real" host_attributes
+    # inventory_failed and site are no "real" host_attributes (TODO: Clean this
up!)
     all_host_attribute_names = map(lambda (x, y): x.name(), all_host_attributes()) +
["inventory_failed", "site"]
     for name, value in host_attributes.items():
         if name not in all_host_attribute_names:
             raise MKUserError(None, _("Unknown attribute: %s") %
html.attrencode(name))
+
+        # For real host attributes validate the values
+        try:
+            attr = host_attribute(name)
+        except KeyError:
+            attr = None
+
+        if attr != None:
+            if attr.needs_validation("host"):
+                attr.validate_input(value, "")
+
         # The site attribute gets an extra check
         if name == "site" and value not in config.allsites().keys():
             raise MKUserError(None, _("Unknown site %s") %
html.attrencode(value))
 
+
 # Check if the tag group exists and the tag value is valid
 def validate_host_tags(host_tags):
     for key, value in host_tags.items():
@@ -56,6 +69,7 @@ def validate_host_tags(host_tags):
         else:
             raise MKUserError(None, _("Unknown host tag group %s") %
html.attrencode(key))
 
+
 def validate_host_attributes(attributes):
     validate_general_host_attributes(dict((key, value) for key, value in
attributes.items() if not key.startswith("tag_")))
     validate_host_tags(dict((key[4:], value) for key, value in attributes.items() if
key.startswith("tag_")))


    