Module: check_mk Branch: master Commit: b7e7211b701330a4cc4b643b1706dd92efeefb8c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b7e7211b701330… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Mon Aug 29 10:09:59 2016 +0200 3844 FIX Fixed validation of host IPv4, IPv6 and management host address attributes The values inserted in the WATO host address fields were not validated strictly enough. This has now been changed so that the IPv4 address field allows IPv4 addresses and host- or DNS names and the IPv6 address field allos IPv6 address and host- or DNS names. --- .werks/3844 | 11 ++++ ChangeLog | 1 + web/htdocs/valuespec.py | 86 ++++++++++++++++++++++++++++++++ web/plugins/wato/builtin_attributes.py | 43 ++++++++-------- 4 files changed, 121 insertions(+), 20 deletions(-) diff --git a/.werks/3844 b/.werks/3844 new file mode 100644 index 0000000..b7052a6 --- /dev/null +++ b/.werks/3844 @@ -0,0 +1,11 @@ +Title: Fixed validation of host IPv4, IPv6 and management host address attributes +Level: 2 +Component: wato +Compatible: compat +Version: 1.4.0i1 +Date: 1472458101 +Class: fix + +The values inserted in the WATO host address fields were not validated strictly enough. +This has now been changed so that the IPv4 address field allows IPv4 addresses and host- +or DNS names and the IPv6 address field allos IPv6 address and host- or DNS names. diff --git a/ChangeLog b/ChangeLog index 512226d..e4b923e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -572,6 +572,7 @@ * 3756 FIX: Bulk import: Fixed exception when host name contained special characters * 3757 FIX: Bulk import: Ensuring non ASCII characters are not imported into regular attributes * 3760 FIX: Cluster nodes can not be nodes of their own anymore + * 3844 FIX: Fixed validation of host IPv4, IPv6 and management host address attributes... Notifications: * 3263 Notifications: allow users to restrict by their contact groups... diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py index 3ebb50b..8ab3bd3 100644 --- a/web/htdocs/valuespec.py +++ b/web/htdocs/valuespec.py @@ -32,6 +32,7 @@ # - Checkbox -> rename to Boolean import math, os, time, re, sre_constants, urlparse, forms, tempfile +import socket from lib import * def type_name(v): @@ -621,6 +622,91 @@ class Hostname(TextAscii): if "allow_empty" not in kwargs: self._allow_empty = False + + +# Use this for all host / ip address input fields! +class HostAddress(TextAscii): + def __init__(self, **kwargs): + TextAscii.__init__(self, **kwargs) + self._allow_host_name = kwargs.get("allow_host_name", True) + self._allow_ipv4_address = kwargs.get("allow_ipv4_address", True) + self._allow_ipv6_address = kwargs.get("allow_ipv6_address", True) + + + def validate_value(self, value, varprefix): + if self._allow_host_name and self._is_valid_host_name(value): + pass + elif self._allow_ipv4_address and self._is_valid_ipv4_address(value): + pass + elif self._allow_ipv6_address and self._is_valid_ipv6_address(value): + pass + else: + raise MKUserError(varprefix, _("Invalid host address. You need to specify the address " + "either as %s." % ", ".join(self._allowed_type_names()))) + + ValueSpec.custom_validate(self, value, varprefix) + + + def _is_valid_host_name(self, hostname): + # http://stackoverflow.com/questions/2532053/validate-a-hostname-string/25323… + if len(hostname) > 255: + return False + + if hostname[-1] == ".": + hostname = hostname[:-1] # strip exactly one dot from the right, if present + + # must be not all-numeric, so that it can't be confused with an IPv4 address. + # Host names may start with numbers (RFC 1123 section 2.1) but never the final part, + # since TLDs are alphabetic. + if re.match(r"[\d.]+$", hostname): + return False + + allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE) + return all(allowed.match(x) for x in hostname.split(".")) + + + def _is_valid_ipv4_address(self, address): + # http://stackoverflow.com/questions/319279/how-to-validate-ip-address-in-pyt… + try: + socket.inet_pton(socket.AF_INET, address) + except AttributeError: # no inet_pton here, sorry + try: + socket.inet_aton(address) + except socket.error: + return False + + return address.count('.') == 3 + + except socket.error: # not a valid address + return False + + return True + + + def _is_valid_ipv6_address(self, address): + # http://stackoverflow.com/questions/319279/how-to-validate-ip-address-in-pyt… + try: + socket.inet_pton(socket.AF_INET6, address) + except socket.error: # not a valid address + return False + return True + + + def _allowed_type_names(self): + allowed = [] + if self._allow_host_name: + allowed.append(_("Host- or DNS name")) + + if self._allow_ipv4_address: + allowed.append(_("IPv4 address")) + + if self._allow_ipv6_address: + allowed.append(_("IPv6 address")) + + return allowed + + + class AbsoluteDirname(TextAscii): def __init__(self, **kwargs): TextAscii.__init__(self, **kwargs) diff --git a/web/plugins/wato/builtin_attributes.py b/web/plugins/wato/builtin_attributes.py index fcc1c78..b5990a3 100644 --- a/web/plugins/wato/builtin_attributes.py +++ b/web/plugins/wato/builtin_attributes.py @@ -35,7 +35,7 @@ declare_host_attribute(NagiosTextAttribute("alias", "alias", _("Alias"), show_in_folder = False) declare_host_attribute(ValueSpecAttribute("ipaddress", - TextAscii( + HostAddress( title = _("IPv4 Address"), help = _("In case the name of the host is not resolvable via <tt>/etc/hosts</tt> " "or DNS by your monitoring server, you can specify an explicit IP " @@ -50,6 +50,7 @@ declare_host_attribute(ValueSpecAttribute("ipaddress", "each time the host is checked. Check_MKs DNS cache will NOT be queried. " "Use this only for hosts with dynamic IP addresses."), allow_empty = False, + allow_ipv6_address = False, )), show_in_table = True, show_in_folder = False, @@ -57,7 +58,7 @@ declare_host_attribute(ValueSpecAttribute("ipaddress", ) declare_host_attribute(ValueSpecAttribute("ipv6address", - TextAscii( + HostAddress( title = _("IPv6 Address"), help = _("In case the name of the host is not resolvable via <tt>/etc/hosts</tt> " "or DNS by your monitoring server, you can specify an explicit IPv6 " @@ -72,6 +73,7 @@ declare_host_attribute(ValueSpecAttribute("ipv6address", "each time the host is checked. Check_MKs DNS cache will NOT be queried. " "Use this only for hosts with dynamic IP addresses."), allow_empty = False, + allow_ipv4_address = False, )), show_in_table = True, show_in_folder = False, @@ -447,23 +449,24 @@ declare_host_attribute(ManagementTypeAttribute("management_protocol"), topic = _("Management Board") ) -declare_host_attribute(TextAttribute("management_address", _("Address"), - _("Address (IPv4 or IPv6) or dns name under which the " - "management board can be reached. If this is not set, " - "the same address as that of the Host will be used."), - allow_empty = False), - show_in_table = False, - show_in_folder = False, - topic = _("Management Board") - ) +declare_host_attribute(ValueSpecAttribute("management_address", + HostAddress( + title = _("Address"), + help = _("Address (IPv4 or IPv6) or dns name under which the " + "management board can be reached. If this is not set, " + "the same address as that of the Host will be used."), + allow_empty = False + )), + show_in_table = False, + show_in_folder = False, + topic = _("Management Board") +) declare_host_attribute(ValueSpecAttribute("management_snmp_community", - SNMPCredentials( - default_value = None, - ) - ), - show_in_table = False, - show_in_folder = False, - topic = _("Management Board") - ) - + SNMPCredentials( + default_value = None, + )), + show_in_table = False, + show_in_folder = False, + topic = _("Management Board") +)