Skip to content

Commit 2ad33f0

Browse files
somethingwithproofsomethingwithproof
committed
refactor: remove SQL rule gating from PR #315 
1 parent 260bccd commit 2ad33f0

4 files changed

Lines changed: 0 additions & 65 deletions

File tree

functions.php

Lines changed: 0 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -699,12 +699,6 @@ function syslog_remove_items($table, $max_seq) {
699699
$params[] = '%' . $remove['message'];
700700
}
701701
} elseif ($remove['type'] == 'sql') {
702-
if (read_config_option('syslog_allow_sql_rules') != 'on') {
703-
cacti_log("SYSLOG: Skipping SQL removal rule '" . $remove['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
704-
705-
continue;
706-
}
707-
708702
if ($table == 'syslog_incoming') {
709703
$sql_where = 'WHERE (' . $remove['message'] . ')
710704
AND `status` = 1
@@ -1181,19 +1175,6 @@ function syslog_manage_items($from_table, $to_table) {
11811175
WHERE message LIKE " . db_qstr('%' . $remove['message']);
11821176
}
11831177
} elseif ($remove['type'] == 'sql') {
1184-
/*
1185-
* Raw SQL rules are admin-defined expressions interpolated
1186-
* into the WHERE clause. They are dangerous by design and
1187-
* gated behind an explicit opt-in. The previous syntax
1188-
* ("WHERE message (expr)") was also invalid MySQL and could
1189-
* never have executed successfully.
1190-
*/
1191-
if (read_config_option('syslog_allow_sql_rules') != 'on') {
1192-
cacti_log("SYSLOG: Skipping SQL removal rule '" . $remove['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
1193-
1194-
continue;
1195-
}
1196-
11971178
if ($remove['method'] != 'del') {
11981179
$sql_sel = "SELECT seq FROM `$syslogdb_default`.`$from_table`
11991180
WHERE (" . $remove['message'] . ')';
@@ -1909,18 +1890,6 @@ function syslog_get_alert_sql(&$alert, $max_seq) {
19091890
$params[] = $alert['message'];
19101891
$params[] = $max_seq;
19111892
} elseif ($alert['type'] == 'sql') {
1912-
/*
1913-
* Raw SQL alert expressions are admin-defined fragments inlined
1914-
* into the WHERE clause. They cannot be parameterised and are
1915-
* gated behind an explicit opt-in. When disabled, the alert is
1916-
* skipped rather than silently matching everything.
1917-
*/
1918-
if (read_config_option('syslog_allow_sql_rules') != 'on') {
1919-
cacti_log("SYSLOG: Skipping SQL alert '" . $alert['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
1920-
1921-
return [];
1922-
}
1923-
19241893
$sql = "SELECT *
19251894
FROM `$syslogdb_default`.`syslog_incoming`
19261895
WHERE ({$alert['message']})
@@ -2527,18 +2496,6 @@ function syslog_get_report_sql(&$report) {
25272496
}
25282497

25292498
if ($report['type'] == 'sql') {
2530-
/*
2531-
* Raw SQL report expressions are admin-defined fragments inlined
2532-
* into the WHERE clause. They cannot be parameterised and are
2533-
* gated behind an explicit opt-in. When disabled, the report is
2534-
* skipped rather than silently returning every row.
2535-
*/
2536-
if (read_config_option('syslog_allow_sql_rules') != 'on') {
2537-
cacti_log("SYSLOG: Skipping SQL report '" . $report['name'] . "'; set 'Allow SQL-type rules' in Syslog settings to enable", false, 'SYSLOG');
2538-
2539-
return '';
2540-
}
2541-
25422499
$sql = "SELECT *
25432500
FROM `$syslogdb_default`.`syslog`
25442501
WHERE (" . $report['message'] . ')';

setup.php

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1263,16 +1263,6 @@ function syslog_config_settings() {
12631263
'method' => 'checkbox',
12641264
'default' => ''
12651265
],
1266-
'syslog_security_header' => [
1267-
'friendly_name' => __('Security Settings', 'syslog'),
1268-
'method' => 'spacer',
1269-
],
1270-
'syslog_allow_sql_rules' => [
1271-
'friendly_name' => __('Allow SQL-type Rules', 'syslog'),
1272-
'description' => __('When enabled, Alert, Removal, and Report rules of type SQL will execute their raw SQL fragments as WHERE clauses. These rules are inlined into queries and cannot be parameterised, so a rule author can run arbitrary SQL against the Syslog database. Leave this disabled unless you understand the impact and trust every user who can edit rules.', 'syslog'),
1273-
'method' => 'checkbox',
1274-
'default' => ''
1275-
],
12761266
];
12771267

12781268
if (isset($settings['syslog'])) {

syslog_alerts.php

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -290,12 +290,6 @@ function api_syslog_alert_save($id, $name, $method, $level, $num, $type, $messag
290290
$id = 0;
291291

292292
if (!is_error_message()) {
293-
if ($save['type'] == 'sql' && read_config_option('syslog_allow_sql_rules') != 'on') {
294-
raise_message('sql_disabled', __('SQL-type rules are disabled. Enable "Allow SQL-type Rules" under Console > Configuration > Settings > Syslog > Security Settings before saving this rule.', 'syslog'), MESSAGE_LEVEL_ERROR);
295-
296-
return false;
297-
}
298-
299293
$sql = syslog_get_alert_sql($save, 100);
300294

301295
if (cacti_sizeof($sql)) {

syslog_reports.php

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -281,12 +281,6 @@ function api_syslog_report_save($id, $name, $type, $message, $timespan, $timepar
281281
$id = 0;
282282

283283
if (!is_error_message()) {
284-
if ($save['type'] == 'sql' && read_config_option('syslog_allow_sql_rules') != 'on') {
285-
raise_message('sql_disabled', __('SQL-type rules are disabled. Enable "Allow SQL-type Rules" under Console > Configuration > Settings > Syslog > Security Settings before saving this rule.', 'syslog'), MESSAGE_LEVEL_ERROR);
286-
287-
return false;
288-
}
289-
290284
$sql = syslog_get_alert_sql($save, 100);
291285

292286
if (cacti_sizeof($sql)) {

0 commit comments

Comments
 (0)