fix(security): defense-in-depth hardening for plugin_thold#767
Draft
somethingwithproof wants to merge 7 commits intoCacti:developfrom
Draft
fix(security): defense-in-depth hardening for plugin_thold#767somethingwithproof wants to merge 7 commits intoCacti:developfrom
somethingwithproof wants to merge 7 commits intoCacti:developfrom
Conversation
Automated fixes: - XSS: escape request variables in HTML output - SQLi: convert string-concat queries to prepared statements - Deserialization: add allowed_classes=>false - Temp files: replace rand() with tempnam() Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Defense-in-depth security hardening for the Thold plugin, focusing on reducing common web attack surfaces (XSS/object injection) in request handling and data decoding paths.
Changes:
- Tighten deserialization by adding
allowed_classes => falseoncacti_unserialize()usage. - Reduce XSS risk by escaping request vars before placing them into HTML value attributes.
- Harden request-derived IDs used in JavaScript requests/URLs by filtering and casting to integers.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
thold_webapi.php |
Attempts to harden unserialize of selected_graphs_array (currently introduces an argument-mismatch bug). |
thold_process.php |
Uses allowed_classes => false when unserializing stored rrd_reindexed data. |
thold_graph.php |
Escapes page request var before embedding into hidden inputs. |
setup.php |
Filters/casts request IDs before embedding them into JS POST bodies and URLs. |
notify_lists.php |
Filters/casts request ID before embedding it into JS-generated filter URLs. |
| $return_array = false; | ||
|
|
||
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array'))); | ||
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false)))); |
There was a problem hiding this comment.
get_nfilter_request_var() is being called with a second argument (array('allowed_classes' => false)), but this codebase otherwise only calls it with a single parameter. This is likely a runtime error (too many arguments) and also doesn’t apply the allowed_classes restriction to the unserialize operation. Pass the options array to cacti_unserialize() instead (second parameter), and keep get_nfilter_request_var('selected_graphs_array') as-is.
Suggested change
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false)))); | |
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')), array('allowed_classes' => false)); |
Replace .click(fn) with .on('click', fn), .change(fn) with
.on('change', fn), .submit(fn) with .on('submit', fn), .unbind()
with .off(), and .resize(fn) with .on('resize', fn).
These shorthands were deprecated in jQuery 3.3 and will be removed
in jQuery 4.0. Cacti core ships jQuery 3.x on develop.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
- Change Dependabot ecosystem from npm to composer (PHP-only repo) - Remove PHP from CodeQL paths-ignore so security PRs get analysis - Remove committed .omc session artifacts, add .omc/ to .gitignore Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
The function was called via inline onClick, but it just bound another click handler - which never fired because the click event had already completed. Execute the POST directly in the function. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Author
|
Converted to draft to serialize the stack in this repo. Blocked by #766; will un-draft after that merges to avoid cross-PR merge conflicts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automated defense-in-depth hardening for
plugin_thold, with the latest pass focused on concrete request-handling and output-encoding issues innotify_lists.php.drp_actionandidwhen they are reused in hidden form fieldsRLIKEfilter viadb_qstr()Test plan
php -l notify_lists.phpphp tests/unit/test_notify_list_security_guards.phpphp tests/integration/test_notify_list_wiring.phpphp tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.phpNotes
This update is intentionally narrow. It does not attempt a broad rewrite of
notify_lists.php; it only removes the concrete raw SQL/form/JS reuse that remained live in the notify-list association flows.