Dont allow arbitrary patam passage

2025-12-07 09:35:54 -08:00 · 2024-08-29 11:43:29 -07:00
parent 4a0b18bc68
commit 6be2811297
3 changed files with 18 additions and 16 deletions
--- a/src/utils/proxy/handlers/jsonrpc.js
+++ b/src/utils/proxy/handlers/jsonrpc.js
@@ -65,13 +65,15 @@ export async function sendJsonRpcRequest(url, method, params, widget) {
 }

 export default async function jsonrpcProxyHandler(req, res) {
-  const { group, service, endpoint: method, query } = req.query;
-  const params = query ? JSON.parse(query) : null;
+  const { group, service, endpoint: method } = req.query;

  if (group && service) {
    const widget = await getServiceWidget(group, service);
    const api = widgets?.[widget.type]?.api;

+    const [, mapping] = Object.entries(widgets?.[widget.type]?.mappings).find(([, value]) => value.endpoint === method);
+    const params = mapping?.params ?? null;
+
    if (!api) {
      return res.status(403).json({ error: "Service does not support API calls" });
    }
@@ -79,8 +81,7 @@ export default async function jsonrpcProxyHandler(req, res) {
    if (widget) {
      const url = formatApiCall(api, { ...widget });

-      // eslint-disable-next-line no-unused-vars
-      const [status, contentType, data] = await sendJsonRpcRequest(url, method, params, widget);
+      const [status, , data] = await sendJsonRpcRequest(url, method, params, widget);
      return res.status(status).end(data);
    }
  }
--- a/src/widgets/zabbix/component.jsx
+++ b/src/widgets/zabbix/component.jsx
@@ -9,21 +9,11 @@ const PriorityAverage = "3";
 const PriorityHigh = "4";
 const PriorityDisaster = "5";

-const triggerParams = {
-  output: ["triggerid", "description", "priority"],
-  filter: {
-    value: 1,
-  },
-  sortfield: "priority",
-  sortorder: "DESC",
-  monitored: "true",
-};
-
 export default function Component({ service }) {
  const { t } = useTranslation();
  const { widget } = service;

-  const { data: zabbixData, error: zabbixError } = useWidgetAPI(widget, "trigger", triggerParams);
+  const { data: zabbixData, error: zabbixError } = useWidgetAPI(widget, "trigger");

  if (zabbixError) {
    return <Container service={service} error={zabbixError} />;
--- a/src/widgets/zabbix/widget.js
+++ b/src/widgets/zabbix/widget.js
@@ -5,7 +5,18 @@ const widget = {
  proxyHandler: jsonrpcProxyHandler,

  mappings: {
-    trigger: { endpoint: "trigger.get" },
+    trigger: {
+      endpoint: "trigger.get",
+      params: {
+        output: ["triggerid", "description", "priority"],
+        filter: {
+          value: 1,
+        },
+        sortfield: "priority",
+        sortorder: "DESC",
+        monitored: "true",
+      },
+    },
  },
 };