Commit graph

6900 commits

Author SHA1 Message Date
Johannes Schmidt
a9783fdde4 Replace explicit rethrow(current) pattern with just throw; 2026-07-02 13:59:48 +02:00
Johannes Schmidt
aa6c63b52e Fix unreachable fallback in DiagnosticInformation(<eptr>)
This was likely meant as a fallback for non-`std::exception`
exception pointers, but it would never have been reached, because
`(std|boost)::rethrow_exception()` would have thrown those out of
the function scope.

This fixes the fallback by making it a catch handler and also using
the more direct way of getting this fallback diagnostic info inside
a catch handler.
2026-07-02 13:59:48 +02:00
Alexander Aleksandrovič Klimov
8a366bc140
Merge pull request #10841 from Icinga/binarytohex-length
Some checks are pending
Container Image / Container Image (push) Waiting to run
Linux / alpine:bash (push) Waiting to run
Linux / amazonlinux:2 (push) Waiting to run
Linux / amazonlinux:2023 (push) Waiting to run
Linux / debian:11 (linux/386) (push) Waiting to run
Linux / debian:11 (push) Waiting to run
Linux / debian:12 (linux/386) (push) Waiting to run
Linux / debian:12 (push) Waiting to run
Linux / debian:13 (push) Waiting to run
Linux / fedora:41 (push) Waiting to run
Linux / fedora:42 (push) Waiting to run
Linux / fedora:43 (push) Waiting to run
Linux / fedora:44 (push) Waiting to run
Linux / opensuse/leap:15.6 (push) Waiting to run
Linux / opensuse/leap:16.0 (push) Waiting to run
Linux / registry.suse.com/bci/bci-base:16.0 (push) Waiting to run
Linux / registry.suse.com/suse/sle15:15.6 (push) Waiting to run
Linux / registry.suse.com/suse/sle15:15.7 (push) Waiting to run
Linux / rockylinux/rockylinux:10 (push) Waiting to run
Linux / rockylinux:8 (push) Waiting to run
Linux / rockylinux:9 (push) Waiting to run
Linux / ubuntu:22.04 (push) Waiting to run
Linux / ubuntu:24.04 (push) Waiting to run
Linux / ubuntu:25.04 (push) Waiting to run
Linux / ubuntu:25.10 (push) Waiting to run
Linux / ubuntu:26.04 (push) Waiting to run
Windows / Windows (push) Waiting to run
Minor fixes and tests for BinaryToHex()
2026-07-01 10:35:11 +02:00
Alexander Aleksandrovič Klimov
be9397609a
Merge pull request #10297 from Icinga/intrusive_ptr_refcnt
intrusive_ptr_*(): specify memory_order explicitly
2026-07-01 10:19:14 +02:00
Dominik Bay
d29ac491f2
Restore single-argument Json.decode() in the DSL
The recursion depth limit added to JsonDecode() in 2.16.2 gave the C++
function a second parameter with a default value. Function pointers do not
carry default arguments, so the DSL function binding deduced an arity of 2
via boost::function_types::function_arity and required two arguments. As a
result `Json.decode("...")` failed with "Too few arguments for function",
an undocumented breaking change in a patch release.

Wrap JsonDecode() in a single-argument shim (mirroring the existing
JsonEncodeShim) so the registered function keeps its one-parameter contract
while still applying the default depth limit internally.

refs #10913
2026-06-30 10:42:40 +02:00
Julian Brost
53aff59cd3
Merge pull request #10910 from Icinga/configwriter-import-validation
ConfigWriter::EmitScope: Escape import
2026-06-29 20:35:37 +02:00
Julian Brost
165378adae
Merge pull request #10909 from Icinga/filter-expression-permission
Add filter-expression permission
2026-06-29 20:33:12 +02:00
Julian Brost
fb42312e6c
Merge pull request #10908 from Icinga/json-parsing-recursion-limit
[GHSA-wh38-wg57-5w7g] Fix stack overflow due to deeply nested data structures
2026-06-29 20:15:53 +02:00
Julian Brost
2c14db1c26
Merge pull request #10907 from Icinga/fix-ca-replacement-vuln
[GHSA-vj39-ww8j-vvx5] Checking if certificate update request comes from a valid endpoint
2026-06-29 20:13:49 +02:00
Alexander Aleksandrovič Klimov
ecb8ef8d7b
Merge pull request #10866 from Icinga/Al2Klimov-patch-3
Some checks are pending
Container Image / Container Image (push) Waiting to run
Linux / alpine:bash (push) Waiting to run
Linux / amazonlinux:2 (push) Waiting to run
Linux / amazonlinux:2023 (push) Waiting to run
Linux / debian:11 (linux/386) (push) Waiting to run
Linux / debian:11 (push) Waiting to run
Linux / debian:12 (linux/386) (push) Waiting to run
Linux / debian:12 (push) Waiting to run
Linux / debian:13 (push) Waiting to run
Linux / fedora:41 (push) Waiting to run
Linux / fedora:42 (push) Waiting to run
Linux / fedora:43 (push) Waiting to run
Linux / fedora:44 (push) Waiting to run
Linux / opensuse/leap:15.6 (push) Waiting to run
Linux / opensuse/leap:16.0 (push) Waiting to run
Linux / registry.suse.com/bci/bci-base:16.0 (push) Waiting to run
Linux / registry.suse.com/suse/sle15:15.6 (push) Waiting to run
Linux / registry.suse.com/suse/sle15:15.7 (push) Waiting to run
Linux / rockylinux/rockylinux:10 (push) Waiting to run
Linux / rockylinux:8 (push) Waiting to run
Linux / rockylinux:9 (push) Waiting to run
Linux / ubuntu:22.04 (push) Waiting to run
Linux / ubuntu:24.04 (push) Waiting to run
Linux / ubuntu:25.04 (push) Waiting to run
Linux / ubuntu:25.10 (push) Waiting to run
Linux / ubuntu:26.04 (push) Waiting to run
Windows / Windows (push) Waiting to run
ifw-api: omit password from curl command in check result
2026-06-29 12:20:25 +02:00
Alexander A. Klimov
590ad7a740 intrusive_ptr_*(): specify memory_order explicitly
More relaxed memory_order = less safety guarantees = faster execution.

This is safe because std::shared_ptr does the same. See also:
https://en.cppreference.com/w/cpp/atomic/memory_order
"Typical use for relaxed memory ordering is incrementing counters, such as the reference counters of std::shared_ptr, since this only requires atomicity, but not ordering or synchronization (note that decrementing the std::shared_ptr counters requires acquire-release synchronization with the destructor)."
2026-06-26 14:45:42 +02:00
Julian Brost
28711824cc Use protected stack for new-style Boost.Asio coroutines
In the `boost::asio::spawn()` call for newer Boost versions with
`std::allocator_arg`, switch from `fixedsize_stack` to
`protected_fixedsize_stack` in order to allocate the stacks with guard pages.
This is done as an additional safeguard in case there was still some way to
overflow, this at least reliably crashes the process instead of going into
undefined behavior, which could even result in code execution.

Unfortunately, the old-style `spawn()` function with
`boost::coroutines::attributes` does not - at least to my knowledge - provide a
way to request a stack allocated with guard pages, hence this is only enabled
for Boost 1.87 and later with this commit.
2026-06-23 15:38:19 +02:00
Julian Brost
4b7ef02bd2 Prevent HTTP requests from creating deeply nested data structures
Add validation checks to code paths reachable from the HTTP API (except full
config file deployments via /v1/config) that prevent creating deeply nested
data structures that could later cause a stack overflow.
2026-06-23 15:38:19 +02:00
Julian Brost
e7d656cf37 Don't shut down JSON-RPC connection if a message fails to parse
With the limit from the previous commit, if a JSON-RPC now message fails to
parse due to being nested to deep, it would have torn down the whole
connection. It is still possible to trigger that scenario from DSL config (for
example by returning nested structures from a lambda that is used in a check
with command_endpoint). In order to fail more gracefully, only discard the
single message and don't kill the whole connection.
2026-06-23 15:38:19 +02:00
Julian Brost
14d6ee9cdf JsonDecode: include path in JSON depth error
If parsing JSON is rejected due to the depth limit introduced in the last
commit, also include the path (like root["object"]["children"]...) that exceeds
the allowed nesting depth.
2026-06-23 15:38:19 +02:00
Julian Brost
4964d2444c JsonDecode: add depth limit
Data structures parsed from JSON may be accessed recursively, so deeply nested
structures may wreak havoc by overflowing the stack. Thus, enforce a general
nesting depth limit of 24 by default (which should be more than enough for
reasonable use), with the ability to pass a different limit to JsonDecode() if
needed.
2026-06-23 15:38:19 +02:00
Julian Brost
324d5bb815 Add filter-expression permission
This allows preventing ApiUsers from evaluating their own DSL expressions for
improved security.
2026-06-23 10:55:45 +02:00
Johannes Schmidt
b35ecb6796
Merge pull request #10857 from Icinga/freeze-perfdata-arrays
Some checks failed
Container Image / Container Image (push) Has been cancelled
Linux / alpine:bash (push) Has been cancelled
Linux / amazonlinux:2 (push) Has been cancelled
Linux / amazonlinux:2023 (push) Has been cancelled
Linux / debian:11 (linux/386) (push) Has been cancelled
Linux / debian:11 (push) Has been cancelled
Linux / debian:12 (linux/386) (push) Has been cancelled
Linux / debian:12 (push) Has been cancelled
Linux / debian:13 (push) Has been cancelled
Linux / fedora:41 (push) Has been cancelled
Linux / fedora:42 (push) Has been cancelled
Linux / fedora:43 (push) Has been cancelled
Linux / fedora:44 (push) Has been cancelled
Linux / opensuse/leap:15.6 (push) Has been cancelled
Linux / opensuse/leap:16.0 (push) Has been cancelled
Linux / registry.suse.com/bci/bci-base:16.0 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.6 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.7 (push) Has been cancelled
Linux / rockylinux/rockylinux:10 (push) Has been cancelled
Linux / rockylinux:8 (push) Has been cancelled
Linux / rockylinux:9 (push) Has been cancelled
Linux / ubuntu:22.04 (push) Has been cancelled
Linux / ubuntu:24.04 (push) Has been cancelled
Linux / ubuntu:25.04 (push) Has been cancelled
Linux / ubuntu:25.10 (push) Has been cancelled
Linux / ubuntu:26.04 (push) Has been cancelled
Windows / Windows (push) Has been cancelled
Freeze perfdata arrays and remove locks in code using them
2026-06-17 19:06:36 +02:00
Johannes Schmidt
9b93c08d27 Fix potential nullptr-dereference in perfdata writer stats functions 2026-06-17 15:16:37 +02:00
Johannes Schmidt
503e23e723 Freeze perfdata arrays and remove locks in code using them
Since perfdata is set once when a check result is created and
never changed again, locking this is unnecessary. This avoids
components unnecessarily waiting on each other when processing
perfdata.

This fixes the locking cascade observed sometimes when the perfdata
writer work queue blocks, where it extends to a lock on the entire
check result eventually, affecting even more components.
2026-06-17 15:15:46 +02:00
Julian Brost
91eeb41ff1
Merge pull request #10864 from Icinga/fix-http-message-sendfile-failbit-handling
Some checks failed
Container Image / Container Image (push) Has been cancelled
Linux / alpine:bash (push) Has been cancelled
Linux / amazonlinux:2 (push) Has been cancelled
Linux / amazonlinux:2023 (push) Has been cancelled
Linux / debian:11 (linux/386) (push) Has been cancelled
Linux / debian:11 (push) Has been cancelled
Linux / debian:12 (linux/386) (push) Has been cancelled
Linux / debian:12 (push) Has been cancelled
Linux / debian:13 (push) Has been cancelled
Linux / fedora:41 (push) Has been cancelled
Linux / fedora:42 (push) Has been cancelled
Linux / fedora:43 (push) Has been cancelled
Linux / fedora:44 (push) Has been cancelled
Linux / opensuse/leap:15.6 (push) Has been cancelled
Linux / opensuse/leap:16.0 (push) Has been cancelled
Linux / registry.suse.com/bci/bci-base:16.0 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.6 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.7 (push) Has been cancelled
Linux / rockylinux/rockylinux:10 (push) Has been cancelled
Linux / rockylinux:8 (push) Has been cancelled
Linux / rockylinux:9 (push) Has been cancelled
Linux / ubuntu:22.04 (push) Has been cancelled
Linux / ubuntu:24.04 (push) Has been cancelled
Linux / ubuntu:25.04 (push) Has been cancelled
Linux / ubuntu:25.10 (push) Has been cancelled
Linux / ubuntu:26.04 (push) Has been cancelled
Windows / Windows (push) Has been cancelled
Fix handling the `std::ifstream::failbit` in `OutgoingHttpMessage`
2026-06-10 17:17:46 +02:00
Johannes Schmidt
fe469a5455 Guard against assert() failures in SendJsonError()
Co-authored-by: Julian Brost <julian.brost@icinga.com>
2026-06-03 12:36:24 +02:00
Julian Brost
5d563cb8ca
Merge pull request #10785 from Icinga/url-validate-password
Some checks failed
Container Image / Container Image (push) Has been cancelled
Linux / alpine:bash (push) Has been cancelled
Linux / amazonlinux:2 (push) Has been cancelled
Linux / amazonlinux:2023 (push) Has been cancelled
Linux / debian:11 (linux/386) (push) Has been cancelled
Linux / debian:11 (push) Has been cancelled
Linux / debian:12 (linux/386) (push) Has been cancelled
Linux / debian:12 (push) Has been cancelled
Linux / debian:13 (push) Has been cancelled
Linux / fedora:41 (push) Has been cancelled
Linux / fedora:42 (push) Has been cancelled
Linux / fedora:43 (push) Has been cancelled
Linux / fedora:44 (push) Has been cancelled
Linux / opensuse/leap:15.6 (push) Has been cancelled
Linux / opensuse/leap:16.0 (push) Has been cancelled
Linux / registry.suse.com/bci/bci-base:16.0 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.6 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.7 (push) Has been cancelled
Linux / rockylinux/rockylinux:10 (push) Has been cancelled
Linux / rockylinux:8 (push) Has been cancelled
Linux / rockylinux:9 (push) Has been cancelled
Linux / ubuntu:22.04 (push) Has been cancelled
Linux / ubuntu:24.04 (push) Has been cancelled
Linux / ubuntu:25.04 (push) Has been cancelled
Linux / ubuntu:25.10 (push) Has been cancelled
Linux / ubuntu:26.04 (push) Has been cancelled
Windows / Windows (push) Has been cancelled
Url::ParseUserinfo: Actually verify Password
2026-06-02 10:51:18 +02:00
Johannes Schmidt
6a3979fd1f Fix handling std::ifstream exceptions in ConfigFilesHandler 2026-06-02 08:54:50 +02:00
Alexander Aleksandrovič Klimov
70f724abde
ifw-api: omit password from curl command in check result
Icinga (DB) Web has a special permission to show the check command line.
Well-written plugins receive passwords via env vars which don't appear even there.
Now ifw-api also hides the password using curl -u USER, not USER:PASS.
The new command is still working, it just prompts for the password.
2026-06-01 10:51:39 +02:00
Johannes Schmidt
281dd133c7 Fix handling the std::ifstream::failbit in OutgoingHttpMessage 2026-05-29 16:05:14 +02:00
Julian Brost
b8e3db8179 BinaryToHex: use size_t for index variable
int is just not the right type to use for an index variable, so change it to
size_t, even if it's unlikely to be called on sufficently large inputs that it
would actually make a difference.
2026-05-07 14:17:05 +02:00
Julian Brost
65e47d3f44 BinaryToHex: use length parameter instead of hard-coded SHA_DIGEST_LENGTH
Forgot to replace one of the two uses of SHA_DIGEST_LENGTH with length in
6cd3a483a0. All users use it for SHA1 so far, so
there was no wrong usage yet.
2026-05-07 14:10:57 +02:00
Julian Brost
4bd2222412
Merge pull request #9719 from Icinga/execvp
ProcessSpawnImpl(): use POSIX execvp(3), not own copy of GNU/OpenBSD-only execvpe(3)
2026-04-23 14:04:31 +02:00
Johannes Schmidt
03d3558621
Merge pull request #10799 from Icinga/fix-pdwc-tls-host-check
Fix host name verification for `PerfdataWriterConnection`
2026-04-22 11:22:27 +02:00
Johannes Schmidt
b170c3dc75 Silence -Wunnecessary-virtual-specifier warning on clang 2026-04-20 12:46:50 +02:00
Yonas Habteab
928235c838
Merge pull request #10800 from Icinga/fix-otel-stats
OTLPMetricsWriter: don't add queue stats as counter
2026-04-20 12:25:55 +02:00
Yonas Habteab
d7ed56baa8
Merge pull request #10798 from Icinga/fix-misleading-tls-timeout-logging
Fix misleading TLS handshake error logging
2026-04-20 09:54:02 +02:00
Yonas Habteab
bc5f01d0fc OTLPMetricsWriter: don't add queue stats as counter 2026-04-20 09:15:53 +02:00
Julian Brost
61c6c7f110
Merge pull request #10619 from Icinga/efficient-config-and-state-update-queue
IcingaDB: better config and state update queueing
2026-04-17 11:19:50 +02:00
Johannes Schmidt
f5be692d33 Correctly create AsioTlsStream with host argument
This was omitted by accident from the original PR, despite
being done in the original perfdata writer connection code.

Without setting this parameter, host name verification will be
disabled, which poses a security risk.
2026-04-17 10:08:20 +02:00
Julian Brost
1b33451665 Fix misleading TLS handshake error logging
The log message on TLS handshake errors always stated that a client handshake
failed, even if if the connection was acting as the server. The commit changes
it so that the actual role is taken into account.
2026-04-16 17:49:48 +02:00
Yonas Habteab
a01870a6aa Fix compiler crash on SLES 15.7 arm64 runner 2026-04-16 14:01:49 +02:00
Yonas Habteab
bfb0e7db12 Inline SendNextUpdate & remove superfluous m_RconWorker checks 2026-04-16 08:53:58 +02:00
Yonas Habteab
e4436cbcf0 IoEngine: introduce & use IsStrandRunningOnThisThread function 2026-04-15 17:51:17 +02:00
Yonas Habteab
99328ec417 Log pending items stats regularly & include them as perfdata in IcingaDB check 2026-04-15 17:33:43 +02:00
Yonas Habteab
25a18a5a7e OTel: downgrade broken_pipe errors to debug log 2026-04-15 17:25:14 +02:00
Yonas Habteab
ecf5632ef8 Timeout: lift VERIFY -> ASSERT to prevent crashes in release builds
`strand.running_in_this_thread()` relies on thread-local storage
internally, and may return false positives if the coroutine is resumed
in a different thread than it was suspended in. In debug builds, this is
not problem, since there's no TLS optimization done by the compiler, but
in release builds, the compiler might cache the address of the
thread-local variable read before the coroutine suspension, and thus
potentially reuse the same address in a different thread after
resumption, which would cause `running_in_this_thread()` to return false
or even crash (but we didn't see any crashes related to this). So,
perform the assertion only in debug builds to prevent potential wrong
usages of the `Timeout` class. For more details, see [^1][^2][^3].

[^1]: https://github.com/chriskohlhoff/asio/issues/1366
[^2]: https://bugs.llvm.org/show_bug.cgi?id=19177
[^3]: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=26461
2026-04-15 17:25:14 +02:00
Johannes Schmidt
6c2e0db381 Check if client is a valid endpoint before updating CA-certificate 2026-04-15 15:58:26 +02:00
Alvar Penning
faf0450962
ConfigWriter::EmitScope: Escape import
Escape all user-supplied template imports when creating an Icinga 2 DSL
configuration object. Without the escape, a `"` within the template name
would allow escaping the created object and create other Icinga 2 DSL
objects, exceeding potential user privileges.

The same bug was present in ConfigWriter::EmitComment, but as this
method is dead code, it could just be removed.
2026-04-10 16:35:37 +02:00
Alvar Penning
e1d8cf487d
Url::ParseUserinfo: Actually verify Password
In Url::ParseUserinfo, after extracting the password, ValidateToken is
incorrectly called upon m_Username instead of m_Password. This commit
fixes this and actually verifies the password.

The bug was introduced with the surrounding code in 6571ffc2c8.

Luckily, this does not seem to have any security impact. However, as
being a bug, this commit now fixes the behavior.
2026-04-09 13:28:24 +02:00
Julian Brost
267675e80b RedisConnection: simplify GetOldestPendingQueryTs function 2026-04-02 16:37:57 +02:00
Yonas Habteab
7d7159c033 Reduce min queue item age from 1000ms to 300ms 2026-04-02 16:37:57 +02:00
Yonas Habteab
390ee8c02f Inline DequeueAndProcessOne & don't process items out of order
Now, the individual `ProcessQueueItem` functions decide whether to
acquire an `olock` or not instead of probing this from within the
worker loop. This is way easier than having to deal with the potential
out of order processing of items in the queue in both ways, i.e., we
don't want to send delete events for objects while their created events
haven't been processed yet and vice versa.
2026-04-02 16:37:57 +02:00
Julian Brost
855f6c7c0c IcingaDB: use key extractor for worker queue
This commit restructures the queue items so that each one now has a method
`GetQueueLookupKey()` that is used to derive which elements of the queue are
considered to be equal. For this, there is a key extractor for the
`multi_index_container` that takes the `variant` from the queue item, calls
that method on it, and puts the result in a second variant type. The types in
that variant type are automatically deduced from the return types of the
individual methods.
2026-04-02 16:37:57 +02:00