From 6be28112978b834cd87fa5de3dc0cab99041c8d6 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Thu, 29 Aug 2024 11:43:29 -0700
Subject: [PATCH] Dont allow arbitrary patam passage

---
 src/utils/proxy/handlers/jsonrpc.js |  9 +++++----
 src/widgets/zabbix/component.jsx    | 12 +-----------
 src/widgets/zabbix/widget.js        | 13 ++++++++++++-
 3 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/src/utils/proxy/handlers/jsonrpc.js b/src/utils/proxy/handlers/jsonrpc.js
index a7135bd96..41bbf866d 100644
--- a/src/utils/proxy/handlers/jsonrpc.js
+++ b/src/utils/proxy/handlers/jsonrpc.js
@@ -65,13 +65,15 @@ export async function sendJsonRpcRequest(url, method, params, widget) {
 }
 
 export default async function jsonrpcProxyHandler(req, res) {
-  const { group, service, endpoint: method, query } = req.query;
-  const params = query ? JSON.parse(query) : null;
+  const { group, service, endpoint: method } = req.query;
 
   if (group && service) {
     const widget = await getServiceWidget(group, service);
     const api = widgets?.[widget.type]?.api;
 
+    const [, mapping] = Object.entries(widgets?.[widget.type]?.mappings).find(([, value]) => value.endpoint === method);
+    const params = mapping?.params ?? null;
+
     if (!api) {
       return res.status(403).json({ error: "Service does not support API calls" });
     }
@@ -79,8 +81,7 @@ export default async function jsonrpcProxyHandler(req, res) {
     if (widget) {
       const url = formatApiCall(api, { ...widget });
 
-      // eslint-disable-next-line no-unused-vars
-      const [status, contentType, data] = await sendJsonRpcRequest(url, method, params, widget);
+      const [status, , data] = await sendJsonRpcRequest(url, method, params, widget);
       return res.status(status).end(data);
     }
   }
diff --git a/src/widgets/zabbix/component.jsx b/src/widgets/zabbix/component.jsx
index aab46f5fd..620edb618 100644
--- a/src/widgets/zabbix/component.jsx
+++ b/src/widgets/zabbix/component.jsx
@@ -9,21 +9,11 @@ const PriorityAverage = "3";
 const PriorityHigh = "4";
 const PriorityDisaster = "5";
 
-const triggerParams = {
-  output: ["triggerid", "description", "priority"],
-  filter: {
-    value: 1,
-  },
-  sortfield: "priority",
-  sortorder: "DESC",
-  monitored: "true",
-};
-
 export default function Component({ service }) {
   const { t } = useTranslation();
   const { widget } = service;
 
-  const { data: zabbixData, error: zabbixError } = useWidgetAPI(widget, "trigger", triggerParams);
+  const { data: zabbixData, error: zabbixError } = useWidgetAPI(widget, "trigger");
 
   if (zabbixError) {
     return <Container service={service} error={zabbixError} />;
diff --git a/src/widgets/zabbix/widget.js b/src/widgets/zabbix/widget.js
index 76641f243..537253595 100644
--- a/src/widgets/zabbix/widget.js
+++ b/src/widgets/zabbix/widget.js
@@ -5,7 +5,18 @@ const widget = {
   proxyHandler: jsonrpcProxyHandler,
 
   mappings: {
-    trigger: { endpoint: "trigger.get" },
+    trigger: {
+      endpoint: "trigger.get",
+      params: {
+        output: ["triggerid", "description", "priority"],
+        filter: {
+          value: 1,
+        },
+        sortfield: "priority",
+        sortorder: "DESC",
+        monitored: "true",
+      },
+    },
   },
 };