new plugin for Waystream Network devices#5956
new plugin for Waystream Network devices#5956rmorandell-pgum wants to merge 11 commits intocentreon:developfrom
Conversation
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| my $instance = $1; | ||
| my $result = $options{snmp}->map_instance(mapping => $mapping, results => $snmp_result, instance => $instance); | ||
|
|
||
| if (defined($self->{option_results}->{filter_connector}) && $self->{option_results}->{filter_connector} ne '' && |
There was a problem hiding this comment.
Using --filter-connector value directly in a regex ($self->{option_results}->{filter_connector}) allows regex injection / ReDoS. Escape (quotemeta) or validate the filter before using in /.../.
Details
✨ AI Reasoning
The code uses an option value directly inside a regular expression match to filter connector types. If the option value is attacker-controlled or crafted (e.g., via CLI or API), it can change the regex semantics, cause catastrophic backtracking (ReDoS), or match unintended values. Properly escaping (quotemeta) or validating allowed values should be used before embedding into a regex.
🔧 How do I fix it?
Use parameterized queries with placeholders, array-based command execution (no shell interpretation), or properly escaped arguments using vetted libraries. Avoid dynamic queries/commands built with user input concatenation.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
|
||
| my $results = {}; | ||
| foreach (keys %$sfp_ports) { | ||
| if (defined($self->{option_results}->{filter_port}) && $self->{option_results}->{filter_port} ne '' && |
There was a problem hiding this comment.
Using --filter-port value directly in a regex ($_ !~ /$self->{option_results}->{filter_port}/) allows regex injection / ReDoS. Escape (quotemeta) or validate the filter before use.
Details
✨ AI Reasoning
The code filters port indices by embedding the user-provided --filter-port into a regular expression. An attacker-supplied pattern could alter matching semantics or cause catastrophic backtracking. The filter value should be escaped or validated against an allowed pattern before using in a regex.
🔧 How do I fix it?
Use parameterized queries with placeholders, array-based command execution (no shell interpretation), or properly escaped arguments using vetted libraries. Avoid dynamic queries/commands built with user input concatenation.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| next; | ||
| } | ||
|
|
||
| if (defined($self->{option_results}->{filter_serial}) && $self->{option_results}->{filter_serial} ne '' && |
There was a problem hiding this comment.
Using --filter-serial value directly in a regex ($sfp_ports->{$_}->[0] !~ /$self->{option_results}->{filter_serial}/) allows regex injection / ReDoS. Escape (quotemeta) or validate the filter before use.
Details
✨ AI Reasoning
The code filters SFP serials by embedding the user-provided --filter-serial into a regular expression. An attacker-supplied pattern could alter matching semantics or cause catastrophic backtracking. The filter value should be escaped or validated against an allowed pattern before using in a regex.
🔧 How do I fix it?
Use parameterized queries with placeholders, array-based command execution (no shell interpretation), or properly escaped arguments using vetted libraries. Avoid dynamic queries/commands built with user input concatenation.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| } | ||
|
|
||
| if (defined($self->{option_results}->{add_interface_name}) && | ||
| defined($self->{option_results}->{filter_interface}) && $self->{option_results}->{filter_interface} ne '' && |
There was a problem hiding this comment.
User-provided 'filter_interface' is interpolated directly into a regex (/$self->{option_results}->{filter_interface}/). Escape or validate this pattern before use.
Details
✨ AI Reasoning
The code performs a regex match using a user-provided 'filter_interface' value when --add-interface-name is set. The direct interpolation into /.../ without escaping allows crafted input to control the regex and could cause ReDoS or incorrect filtering.
🔧 How do I fix it?
Use parameterized queries with placeholders, array-based command execution (no shell interpretation), or properly escaped arguments using vetted libraries. Avoid dynamic queries/commands built with user input concatenation.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| use warnings; | ||
| use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng); | ||
| use centreon::plugins::statefile; | ||
| use Safe; |
There was a problem hiding this comment.
Introduces runtime code evaluation via Safe->reval using user-provided regex; avoid executing dynamic code from inputs or validate/sanitize thoroughly.
Details
✨ AI Reasoning
The changes introduce dynamic code execution via the Safe module. A package-level shared variable (
🔧 How do I fix it?
Ensure code is transparent and not intentionally obfuscated. Avoid hiding functionality from code review. Focus on intent and deception, not specific patterns.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| $self->{statefile_cache} = centreon::plugins::statefile->new(%options); | ||
|
|
||
| $self->{safe} = Safe->new(); | ||
| $self->{safe}->share('$assign_var'); |
There was a problem hiding this comment.
Shares global variable ('$assign_var') into Safe compartment used for reval; exposing globals to evaluated code increases risk of misuse.
Details
✨ AI Reasoning
The changes call $self->{safe}->share('$assign_var'), exposing a global into the Safe compartment. Sharing globals into an evaluated context broadens what the evaluated code can access and was added here, contributing to potential covert behavior or vulnerabilities.
🔧 How do I fix it?
Ensure code is transparent and not intentionally obfuscated. Avoid hiding functionality from code review. Focus on intent and deception, not specific patterns.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| sub get_display_value { | ||
| my ($self, %options) = @_; | ||
|
|
||
| our $assign_var = $options{value}; |
There was a problem hiding this comment.
Assigning external input to shared global ($assign_var) used in Safe->reval enables execution of user-controlled data; avoid sharing raw input into eval contexts.
Details
✨ AI Reasoning
The diff adds a package/global variable assignment (our $assign_var = $options{value}) which is then used inside the Safe->reval context. This pattern couples external input to dynamic evaluation, increasing the attack surface even though Safe is used. The new assignment was introduced here and directly contributes to the runtime execution flow.
🔧 How do I fix it?
Ensure code is transparent and not intentionally obfuscated. Avoid hiding functionality from code review. Focus on intent and deception, not specific patterns.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| if (defined($self->{option_results}->{display_transform_src})) { | ||
| $self->{option_results}->{display_transform_dst} = '' if (!defined($self->{option_results}->{display_transform_dst})); | ||
|
|
||
| $self->{safe}->reval("\$assign_var =~ s{$self->{option_results}->{display_transform_src}}{$self->{option_results}->{display_transform_dst}}", |
There was a problem hiding this comment.
User-provided display_transform_src/display_transform_dst are interpolated into a Safe->reval call ("$assign_var =~ s{...}{...}"). Avoid evaluating user input as code; use a precompiled regex (qr//) and apply it safely or validate/escape inputs before use.
Details
✨ AI Reasoning
The code builds and evaluates Perl code at runtime using user-controlled values. It assigns the display value to a package variable and then calls Safe->reval with a string that interpolates option values into a Perl substitution expression. Untrusted input in display_transform_src or display_transform_dst can alter the evaluated code or produce unintended behavior. Evaluating user-provided patterns as code is risky and can lead to code injection or crashes.
🔧 How do I fix it?
Use parameterized queries with placeholders, array-based command execution (no shell interpretation), or properly escaped arguments using vetted libraries. Avoid dynamic queries/commands built with user input concatenation.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
1 participant
Community contributors
Description
Modes Available:
Type of change
How this pull request can be tested ?
snmpwalk for MS4000 and MS7000
snmpwalks.zip
MIB file
waystream-enterprise.zip
Checklist
Centreon team (internal PR)
Description
PLEASE MAKE SURE THAT THE BRANCH PR INCLUDES JIRA TICKET ID
Please include a short resume of the changes and what is the purpose of this pull request.
Any relevant information should be added to help reviewers to understand what are the stakes
of the pull request.
Fixes # (issue)
If you are fixing a github Issue already existing, mention it here.
If you are fixing one or more JIRA ticket, mention it here too.
Type of change
How this pull request can be tested ?
Please describe the procedure to verify that the goal of the PR is matched.
Provide clear instructions so that it can be correctly tested.
Mention the automated tests included in this FOR (what they test like mode/option combinations).
Checklist
Summary by Aikido
🚀 New Features
⚡ Enhancements
🐛 Bugfixes
🔧 Refactors
More info