[ZBX-12963] Unable to pass $ sign to external check Created: 2017 Oct 30  Updated: 2024 Apr 10  Resolved: 2018 Nov 02

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F), Proxy (P), Server (S)
Affects Version/s: None
Fix Version/s: 4.2 (plan)

Type: Problem report Priority: Minor
Reporter: Vitaly Zhuravlev Assignee: Martins Valkovskis
Resolution: Fixed Votes: 0
Labels: externalchecks
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by ZBX-2450 no security measures are taken for ex... Closed
Team: Team D
Sprint: Sprint 23, Sprint 24, Sprint 46, Nov 2018
Story Points: 1

 Description   

Unable to pass argument to external check containing literal $ since everything is wrapped in double quotes. Escaping $ doesn't work also since sequence 

\${code} would become


${code} by zabbix code here:

svn blame svn://svn.zabbix.com/trunk/src/zabbix_server/poller/checks_external.c

49450      wiper               param_esc = zbx_dyn_escape_string(param, "\"\\");
49450      wiper               zbx_snprintf_alloc(&cmd, &cmd_alloc, &cmd_offset, " \"%s\"", param_esc);

Steps to reproduce:
create external check with key: 

script.sh[login,passwor$d]

and file script.sh

#!/bin/bash
echo $1 $2

Result:
this would turn to 

login passwor

Expected: 

login passwor$d

Suggested
Wrapping to single quotes instead of double quotes could help. Change how arguments are wrapped automatically:

zabbix key                               -> command
script.sh[login,passwor$d]       -> script.sh 'login' 'passwor$d'
script.sh['login','passwor$d']    -> script.sh 'login' 'passwor$d'
script.sh["login","passwor$d"]  -> script.sh "login" "passwor$d"


 Comments   
Comment by Glebs Ivanovskis (Inactive) [ 2017 Oct 30 ]

wiper isn't guilty, this logic is since ZBX-3647.

palivoda Do you agree with suggested solution? - glebs.ivanovskis
If not is there any other options?

glebs.ivanovskis I have no idea how to fix this without breaking backwards compatibility.

Comment by Glebs Ivanovskis (Inactive) [ 2017 Nov 01 ]

This problem partially stems from the fact that we have very permissive item key parameter syntax and poorly thought-through quoting/escaping rules. This does not allow us to introduce "parameter preprocessing options" for escaping shell special characters, ignoring macros, etc. If item key parameters required all strings to be quoted and allowed only numeric values to be unquoted solution for this problem could look like:

script.sh[escape_shell_spec_chars("login"), escape_shell_spec_chars("passwor$d")]
Comment by Sergejs Paskevics [ 2017 Dec 13 ]

Resolved in svn://svn.zabbix.com/branches/dev/ZBX-12963
Wrapping argument was changes from " to '.

Comment by Sergejs Paskevics [ 2018 Jan 03 ]

Implemented in 4.0.0alpha2 (trunk) in r76522.

Comment by richlv [ 2018 Feb 12 ]

(1) the what's new entry at https://zabbix.com/documentation/4.0/manual/introduction/whatsnew400 says :

Upon completion of an external check script, arguments are wrapped to single quotes ' instead of double quotes ". This change allows Zabbix to accept more signs in an external check parameter's name. For example, the $ sign is no longer ignored.

three potential issues here :

  • "completion" seems wrong - shouldn't this be "running", "invocation" or similar ?
  • "an external check parameter's name" - shouldn't this be "external check parameters" ?
  • "$" was not ignored before, but interpreted by the shell

it might be worth also changing "wrapped to" to "wrapped in", and maybe changing "sign" to more common "character" or "symbol".

martins-v Thanks, richlv for the useful suggestions. The wording has been updated. RESOLVED

sasha CLOSED

Generated at Fri Apr 26 03:50:19 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.