Fixed possible injection of traps in trap receiver

zabbix · Oct 1, 2024 · 44b795a · 44b795a
1 parent 60592e8
commit 44b795a
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 0 deletions.
diff --git a/Dockerfiles/snmptraps/alpine/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/alpine/conf/usr/sbin/zabbix_trap_handler.sh
@@ -44,4 +44,19 @@ done
 
 [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host
 
+# Header in Zabbix format shouldn't exist anywhere in vars, it is injection
+# Must exit with 0
+date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \
+        -e 's/%Y/[0-9]\{4\}/g' \
+        -e 's/%m/[0-9]\{2\}/g' \
+        -e 's/%d/[0-9]\{2\}/g' \
+        -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \
+        -e 's/%z/[\+\-][0-9]\{4\}/g' \
+        -e 's/%H/[0-9]\{2\}/g' \
+        -e 's/%M/[0-9]\{2\}/g' \
+        -e 's/%S/[0-9]\{2\}/g')
+
+zbx_trap_regex="$date_regex ZBXTRAP"
+echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0
+
 echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE
diff --git a/Dockerfiles/snmptraps/centos/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/centos/conf/usr/sbin/zabbix_trap_handler.sh
@@ -44,4 +44,19 @@ done
 
 [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host
 
+# Header in Zabbix format shouldn't exist anywhere in vars, it is injection
+# Must exit with 0
+date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \
+        -e 's/%Y/[0-9]\{4\}/g' \
+        -e 's/%m/[0-9]\{2\}/g' \
+        -e 's/%d/[0-9]\{2\}/g' \
+        -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \
+        -e 's/%z/[\+\-][0-9]\{4\}/g' \
+        -e 's/%H/[0-9]\{2\}/g' \
+        -e 's/%M/[0-9]\{2\}/g' \
+        -e 's/%S/[0-9]\{2\}/g')
+
+zbx_trap_regex="$date_regex ZBXTRAP"
+echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0
+
 echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE
diff --git a/Dockerfiles/snmptraps/ol/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/ol/conf/usr/sbin/zabbix_trap_handler.sh
@@ -44,4 +44,19 @@ done
 
 [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host
 
+# Header in Zabbix format shouldn't exist anywhere in vars, it is injection
+# Must exit with 0
+date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \
+        -e 's/%Y/[0-9]\{4\}/g' \
+        -e 's/%m/[0-9]\{2\}/g' \
+        -e 's/%d/[0-9]\{2\}/g' \
+        -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \
+        -e 's/%z/[\+\-][0-9]\{4\}/g' \
+        -e 's/%H/[0-9]\{2\}/g' \
+        -e 's/%M/[0-9]\{2\}/g' \
+        -e 's/%S/[0-9]\{2\}/g')
+
+zbx_trap_regex="$date_regex ZBXTRAP"
+echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0
+
 echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE
diff --git a/Dockerfiles/snmptraps/rhel/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/rhel/conf/usr/sbin/zabbix_trap_handler.sh
@@ -44,4 +44,19 @@ done
 
 [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host
 
+# Header in Zabbix format shouldn't exist anywhere in vars, it is injection
+# Must exit with 0
+date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \
+        -e 's/%Y/[0-9]\{4\}/g' \
+        -e 's/%m/[0-9]\{2\}/g' \
+        -e 's/%d/[0-9]\{2\}/g' \
+        -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \
+        -e 's/%z/[\+\-][0-9]\{4\}/g' \
+        -e 's/%H/[0-9]\{2\}/g' \
+        -e 's/%M/[0-9]\{2\}/g' \
+        -e 's/%S/[0-9]\{2\}/g')
+
+zbx_trap_regex="$date_regex ZBXTRAP"
+echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0
+
 echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE
diff --git a/Dockerfiles/snmptraps/ubuntu/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/ubuntu/conf/usr/sbin/zabbix_trap_handler.sh
@@ -44,4 +44,19 @@ done
 
 [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host
 
+# Header in Zabbix format shouldn't exist anywhere in vars, it is injection
+# Must exit with 0
+date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \
+        -e 's/%Y/[0-9]\{4\}/g' \
+        -e 's/%m/[0-9]\{2\}/g' \
+        -e 's/%d/[0-9]\{2\}/g' \
+        -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \
+        -e 's/%z/[\+\-][0-9]\{4\}/g' \
+        -e 's/%H/[0-9]\{2\}/g' \
+        -e 's/%M/[0-9]\{2\}/g' \
+        -e 's/%S/[0-9]\{2\}/g')
+
+zbx_trap_regex="$date_regex ZBXTRAP"
+echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0
+
 echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE