Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-24615

Escaping is not done for macro inside JS code

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Duplicate
    • Icon: Critical Critical
    • None
    • 6.0.30, 6.4.15, 7.0.0
    • Frontend (F), Proxy (P), Server (S)
    • None
    • S24-W24/25

      Steps to reproduce:

      1. create JS step for example: 
        var macro = "{#VALUELENGTH}";
if (!/^\d+$/.test(macro)) return "Invalid #VALUELENGTH macro";
if (value.length == macro.length) return "OK";
return "The value has "+value.length+" characters.";
      1. Inject javascript code. Return something completely different with a MACRO: 
        "; return "Fire in the server room! Activate sprinklers and evacuate immediately!"; \\
      1. The extra objects helpful for injecting something else (send HTTP request, etc...):
        https://www.zabbix.com/documentation/current/en/manual/config/items/preprocessing/javascript/javascript_objects

            zabbix.dev Zabbix Development Team
            edgar.akhmetshin Edgar Akhmetshin
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: